Responsible Disclosure: Public S3 Bucket Leaking Patient PHI at a Hospital Group

The bucket was publicly accessible without authentication in the ap-south-1 region. Directory listing was on, so the full object index was visible through a normal browser, and the entire contents were downloadable anonymously with aws s3 cp --no-sign-request. There was no access logging or anomaly monitoring configured on it either.

The content inside was what made it serious. Patient diagnostic and test reports, billing information and payment records, and personal details of patients, employees, and doctors, all sitting there. And the patient portal itself was helping: its download links resolved directly to raw S3 URLs with no signed URL or time-limited access, so anyone who had ever been issued a link could theoretically rummage around from there.

I found the S3 endpoint by inspecting what the patient portal's download button actually pointed at, then validated the public read permissions with aws s3 ls --no-sign-request. I confirmed the scope of the exposure without downloading any patient records, because that's the right thing to do when you're poking at someone else's data.

From there I wrote a formal disclosure report: vulnerability details, step-by-step reproduction, and a prioritised remediation plan citing Indian IT Rules 2011, Article 21 of the Constitution of India, GDPR, and HIPAA equivalents. The immediate recommendations were straightforward, block public access, audit the bucket policies, and remove the anonymous-read ACLs. For the longer term I suggested signed URLs with short expiry on report downloads, least-privilege bucket policies, and CloudTrail plus GuardDuty for S3. The report went to the hospital group's contact channel as a professional courtesy.