Contractor error is being blamed for a data breach which left millions of documents containing highly sensitive personal information freely accessible on the web.

Last month,, Systema Software, a US company that provides claims management software hosted by Amazon Web Services (AWS), became the latest company to suffer a data breach of significant proportions.  Documents belonging to insurance companies, county authorities and the software company itself were left exposed on a public sub-domain of AWS.  These documents included police injury reports, drug tests, doctors' notes and social security numbers.

Given that much of the information that was compromised was health information, Systema could be facing a breach of the US Health Insurance Portability and Accountability Act, in that it failed to protect the security of electronic health information.

Fortunately in this case, the leak was uncovered by a well-intentioned technology enthusiast who immediately contacted the organisations whose data had been compromised. It also appears that he was the only person to access the data before it was removed, although it is not yet known how long it was available.

So it looks like those involved got lucky this time.  However, had this data founds its way into the wrong hands, the implications for those organisations, and the affected individuals, could have been serious indeed.

In Australia, a number of States and Territories have specific health records legislation (NSW, Victoria and the ACT) which require organisations that handle health information to take reasonable steps to keep the information secure.  These requirements are is in addition to the requirements of the Commonwealth Privacy Act 1988, under which health information is a type of 'sensitive information' and consequently attracts more onerous obligations.

The incident is a timely reminder that, despite all the recent media attention on external hacking threats, just as much damage can be caused by organisations' own mistakes and failures to take adequate steps to protect the personal information they hold.