A federal judge has granted a request from SalusCare, a mental health and substance abuse services provider, to block an alleged hacker from accessing patient data that the hacker allegedly stole and copied to cloud storage on Amazon Web Services.
It’s part of a lawsuit Fort Myers, Fla.-based SalusCare filed last week in federal court in Florida against AWS—Amazon’s cloud arm—and an alleged anonymous hacker referred to as John Doe.
SalusCare sued, seeking damages from Doe and for Amazon to suspend access to the data, one week after it learned it had been a victim of a data breach.
A computer technician at SalusCare on March 16 allegedly discovered that the organization’s server had been accessed and copied by Doe, according to court documents. Doe allegedly exfiltrated data held on the server to two virtual storage “buckets” on AWS. The server housed a database of thousands of patient and employee files, including medical and financial data.
SalusCare has spent more than $12,000 on forensic analysis services to address the data breach, according to audit logs from SalusCare cited in court documents, and the code the hacker allegedly used to access and copy the data originated in Ukraine.
Amazon’s general counsel office told SalusCare it suspended Doe’s access to the data, but did not commit to maintaining the suspension, according to court documents.
SalusCare subsequently requested a temporary restraining order from the court, so that Doe will not be able to continue accessing the copied data.
Under the temporary restraining order, AWS is barred from allowing anyone to access the contents of the two storage buckets and Doe is barred from directly or indirectly accessing or disclosing the data allegedly stolen from SalusCare. The temporary restraining order remains in effect through at least April 8.
SalusCare under the order is also directed to post a bond for $1,000, which will serve as payment for damages if the order is later found to be a wrongful injunction or restraint.
AWS did not oppose the temporary restraining order.
“The threatened harm to SalusCare outweighs any potential harm to Amazon or John Doe,” reads the judge’s order.
“SalusCare will suffer irreparable harm to its business operations if the information is disclosed,” the order reads. “Amazon will suffer no conceivable harm in a temporary freeze of the Buckets and has voluntarily suspended access to them. At worst, John Doe suffers a temporary loss of access to the information.”
The judge also granted SalusCare’s motion for expedited discovery, under which Amazon will provide SalusCare audit logs related to the storage buckets, so that it can identify what allegedly stolen information has been disclosed and to whom.
Amazon did not oppose the requested discovery.
SalusCare was not a customer of AWS, said SalusCare’s attorney J. Tom Smoot. That made it challenging to get AWS’ cooperation through its publicly accessible channels, he said.
“The fraudster used Amazon to park its stolen merchandise,” Smoot said. So, “in this case, Amazon’s customer was the fraudster, and not the victim.”
Since connecting with the company’s general counsel office, Smoot said the company has been more responsive to SalusCare’s concerns.
SalusCare is waiting to receive the audit logs from AWS, as required by the motion for expedited discovery.
“We’re optimistic that Amazon will provide them very shortly,” Smoot said.
AWS did not immediately respond to requests for comment.