This is the report of how mapping and analysis of an open elastic look led to the discovery of a misconfigured amazon s3 bucket that exposed data from hundreds of thousands of dental patients. If you live in Brazil, you may already be experiencing hack weariness from having had so much of your personal and medical information exposed online. But if you use a dentist in Brazil, the chances are good that your dental information may also experience been exposed — if your dentist uses Dental office software by Roger software and has their patient data hosted by them. Roger Software (RH Software) is a well-established Brazilian firm that offers software for dental practices, medical practices, and physiotherapy practices. in this case, some exposed data related to Dental office was first discovered in an open elastic look in September. The exposed information was very basic and incomplete, but one of the data fields contained a URL to a prefilled s3 bucket linking to a nonpayment user’s photo. Inspection of the exposed data led to the discovery of a endorse amazon s3 bucket. This endorse — and misconfigured — bucket was exposing more than 800,000 images from patients of Dental Office clients. in total, there appeared to live approximately 1,300 Dental office clients and 300,000 sum patients. The exposed patient data included info on missed appointments going rear to 2012, and older documents dated from 2008 – 2012. Most of the uploaded files appeared to be from 2012, so the older files were likely scanned in as part of the entities switching over to digital records. There were also some photos that may make been personal photos uploaded by clients, but most of the image files were patients’ facial images from different angles with dental x-rays, dental reports, or documents. All files were in image format. Some contained personally identifiable information (PII) or protected health information (PHI) such as name, age, doctor, and location, as wellspring as other personal medical information, but from the photos alone, the patients would be identifiable. Some of the photos were of young children. Attribution to Roger Software was relatively easy after inspection of ace folder on the bucket, and on October 26, this researcher contacted Roger software about the misconfigured bucket, giving them the URL and noting that approximately 800,000 files were exposed. Within 24 hours, the bucket was secured, but Roger Software did not send any acknowledgment of the notification. Datahacks.net then reached out to them to ask them whether they intended to notify their clients of the incident or any patients. Not surprisingly, no reception was immediately provided. This carry will be updated if the software firm responds, but it is not clear whether notification would even be required under Brazilian law. For those curious about that aspect, DLA Piper provided a summary in january 2019 of Brazil’s notification criteria and requirements. You can find their summary here. piece a leak involving a medical or dental exercise is not new, this incident serves as a timely reminder that sometimes, having your software provider host your patient data may provide you more vulnerable than you mightiness expect. piece mottle solutions are hailed as being break and more secure than desktop solutions that may not be updated or patched quickly and that may not be monitored by full-time security personnel, having a third party host your patient data is not a panacea. The third party may block to reinstall a firewall after an upgrade, or they may have a scallywag employee who is copying and exfiltrating your assets, they may themselves fall prey to a phishing assail or a ransomware attack, or they may just screw up. As we all know, there just is no perfect security. Reporting by lee J. Editing by Dissent.