After multiple unsuccessful attempts to capture a popular japanese medical online consultation site to secure a misconfigured bucket, researchers at SafetyDetectives get decided to publicly expose the leak. Doctors me provides customers with on-demand access to professional medical advice. People can signal up for a monthly unlimited access program (for less than $3.00 per month) or a per audience plan with specified experts. The patients canful utilisation the service anonymously, but in uploading pictures or details about themselves or their children, they may reveal identifying information. Some of the image files reportedly provide sufficient views to live able to identify some patients or children. When first discovered, the misconfigured bucket contained more than 300,000 image files.� SafetyDetectives could not provide a firm count of how many unique consumers had personal information exposed, but approximate that there are at least 12,000 unique individuals represented. The misconfigured bucketful was discovered on november 11, 2021. SafetyDetectives notified Doctors me the same day and sent a reexamination message to the firm and the japanese computer Emergency answer team (CERT) on november 21. On november 25, they sent a sec observation to CERT and also contacted amazon AWS. On december 15 and January 10, they sent more notifications to japanese CERT. On january 11, CERT informed SafetyDetectives that they contacted amazon AWS. Despite SafetyDetectives’ efforts, the bucket still has not been secured. Although amazon will reaching out to let their customers know if they have reports of unsecured buckets, the responsibility to secure the bucketful remains with the customer. SafetyDetectives could not ascertain when the bucket was first exposed. Nor could it determine how many individuals or scrapers might get accessed the exposed files. The oldest file in the bucket reportedly dates to 2015, and the bucketful was still being updated at the time of discovery. a spokesperson for SafetyDetectives informed DataBreaches.net that they never received any response at all from Doctors Me. When asked why they decided to disclose the problem at this time, the spokesperson answered: We always make our best to have the data secured before we publish anything. But sometimes, waiting so much can also be harmful for the data as it gives the opportunity to other actors (with less ethical mindset) to find it and exploit it. We tried several times to touch the company, we also tried the CERT in Japan, the hosting… We’ve used all our resources. Our last chance for the companion to know about their misconfiguration is to publish our account and hope they’ll read about it in the intelligence and finally secure it. Additional details about their findings and possible risks to consumers from this leak can be found in SafetyDetectives’ full report. Under Japan’s represent on the Protection of Personal Information (APPI), there is an obligation to properly secure personally identifiable information. Was Doctors me required to notify the administration of this incident? Was it required to notify consumers? And if it did have notification obligations, has it complied with them? DataBreaches.net sent a tangency spring inquiry to Doctors me on march 20, asking whether they were notifying patients of the incident, whether they had notified the Personal Information protection Commission (PIPC), and what they were doing in response to this incident. No reply has been received by the time of this publication. If anyone has a contact at Doctors Me or knows any of the doctors/experts who might be able to capture the firm to ringlet down the bucket, please allow them know about the data exposure.
