Insurance startup leaks sensitive customer health data

The storage bucket wasn't protected with a password and was accessible by anyone.
Written by Zack Whittaker, Contributor

Another day, another data leak. (Image: file photo)

A software startup that provides independent insurance brokers with customer management software has exposed highly sensitive information on thousands of insurance policy holders.

A vast cache of data was stored on Amazon S3 storage bucket by AgentRun, a Chicago, Ill.-based company founded in 2012 by Andrew Lech, a former independent insurance broker.

The bucket stored thousands of files of broker clients using the company's platform, including highly sensitive personal information like insurance policy documents, health and medical information, and some financial data.

The bucket wasn't protected with a password and was accessible by anyone.

Andrew Lech, the company's founder, admitted the breach in an email.

"We were migrating to this bucket during an application upgrade and during the migration the permissions on the bucket were erroneously flipped," he said.

Read more: Password manager maker Keeper hit by another security snafu | Accenture left a huge trove of highly sensitive data on exposed servers | Unsecured server exposed thousands of FedEx customer records | Data firm leaks 48 million user profiles it scraped from Facebook, LinkedIn, others | Thousands of sensitive mercenary resumes exposed

The bucket was closed within an hour of disclosure.

The data included detailed insurance policy documents containing names, postal addresses, dates of birth, and phone numbers. In some cases there were also documents revealing an income range, ethnicity, and marital status.

Many of the documents were scans of people's identification documents, including Social Security cards and numbers, Medicare cards, and other documents, such as driver licenses, and armed forces and voter identification cards

Some policy holders also enclosed blank bank checks.

The data also included sensitive health information, including a person's prescriptions, dosages, and costs -- which can identify medical conditions.

Insurance companies found in the data included Cigna, TransAmerica, SafeCo Insurance, Schneider Insurance, Manhattan Life, and Everest -- to name a few.

Read more: NSA leak exposes Red Disk, the Army's failed intelligence system | Researchers say a breathalyzer has flaws, casting doubt on countless convictions | NSA's Ragtime program targets Americans, leaked files show | Leaked: TSA documents reveal New York airport's wave of security lapses | Millions of Verizon records exposed in security lapse

According to the startup's website, the company claims its service is "secure" and uses the "latest encryption standards" to protect sensitive data, but we found no evidence that any encryption was used on the data stored in the bucket.

Lech said that the company will notify customers and all individuals, whose data was breached.

"We will also be notifying the proper authorities," he said, per state breach notification laws.

Editorial standards