Another day, another data breach in the medical industry.

Today’s version comes from BJC Healthcare, a St. Louis-based nonprofit organization that runs two nationally recognized academic hospitals, Barnes-Jewish Hospital and St. Louis Children’s Hospital.

The data breach, which is believed to have affected at least 33,000 patients, does not appear to have been the result of hacking. Instead, it’s potentially another episode of “Let’s Misconfigure Our AWS Storage” in that a statement identifies documents as “accessible through the Internet without the appropriate security controls.”

Data on the server, which is said to have been exposed to all and sundry between May 9, 2017, and Jan. 23, 2018, included copies of patient driver’s licenses, insurance cards and treatment-related documents that were collected during hospital visits spanning 2003 to 2009. Other information potentially accessible included name, address, telephone number, date of birth, Social Security number, driver’s license number, insurance information and treatment-related information. BJC Healthcare did note that it has no evidence that the data was accessed by malicious actors.

Carl Wright, chief revenue officer at AttackIQ Inc., told SiliconANGLE that this is another case of companies both large and small failing to implement basic security protection.

“This trend is disturbing as the cost of recovering from a breach is far more expensive than conducting proactive testing to validate that the security products and services, which you have already purchased and implemented, are working correctly,” Wright said. “Consequently, these types of failures can be easily avoided.”

Zohar Alon, co-founder and chief executive officer at Dome9 Security Inc., said the fact that BJC Healthcare only identified the data breach during a seemingly annual security scan is a problem in itself.

“Security-conscious organizations are moving away from periodic, semiannual internal scans and investing in continuous security and compliance capabilities that allow them to monitor and get alerted on such exposures quickly,” Alon explained. “Unfortunately, there’s still a large number of organizations that have not made this transition for one reason or another – whether that’s budget constraints or the talent and expertise they have at their disposal.”

Alon did not hold back, saying that in the age of the public cloud, where attacks are increasingly automated and the window to respond is getting shorter, allowing sensitive data to be exposed for months is inexcusable and can be costly.

“Organizations have historically relied on manual data gathering and manually triggered scans to find such vulnerabilities,” he said. “Without automation to simplify and speed this process up, these scans can get time-consuming, especially for organizations such as BJC HealthCare. Given the influx of AWS S3 disclosures since the beginning of 2017, it should go without saying that continuous compliance and active cloud protection are really the only way to keep an organization’s sensitive information secure.”

Image: BJC Healthcare