iCliniq inadvertently exposes medical data of nearly 20000 patients due to cloud server misconfiguration

• ICliniq’s misconfigured Amazon S3 bucket contained medical documents of around 20,000 patients.
• The exposed information included patients’ blood screens and HIV tests.

India-based online medical consultation service, iCliniq inadvertently left medical documents of thousands of patients publicly accessible. The breach was caused due to a misconfigured Amazon S3 bucket.

The global health startup patched the unsecured bucket after it was notified about the breach by a German security researcher Matthias Gliwka. The researcher reported the matter to The Register after the firm failed to respond to his alerts.

Yet another poorly secured cloud-based database

According to Gliwka, the poorly patched cloud storage database contained medical documents of around 20,000 patients, including crucial information such as blood screens and HIV tests.

The security expert came across the unsecured S3 bucket while he was developing a tool to discover leaks sensitive of nature.

"During the research on how to approach this problem I came across a multitude of buckets with sensitive information," he said, The Register reported.

Gliwka said that he was able to establish access to iCliniq’s S3 bucket and that the test files which he had uploaded through the website, were visible in the unsecured cloud service. The German researcher also found that iCliniq.com suffered from IDOR vulnerability.

In other words, the online medical service likely failed to check for permissions in its web app, which in turn, made every question asked by any member visible to all users, just by guessing the ID number of the question.

iCliniq's response

iCliniq’s data protection officer Siddarth Parthiban confirmed the breach and apologized to Gliwka for the firm’s inattentiveness towards the vulnerability notification.

When iCliniq finally responded to Gliwka’s alerts, Siddarth and the team were quick to take immediate actions such as transfering the data to a secured database.

"I confirm that ONLY files of the two states in India (Tamil Nadu and Punjab) were public. Files of other regions/countries/continents were/are NOT public,” said Parthiban, The Register reported. “The S3 folder taken for these regions in India must have been moved [from] private.”

Gliwka confirmed that the issue was fixed and that the leaky Amazon S3 bucket is no longer publicly accessible.

"The Amazon S3 bucket no longer publicly lists its contents and the direct links to documents I have the link to are no longer accessible," Gliwka said. The IDOR vulnerability, which allowed to see the private questions of other users, is also fixed,"