A security researcher discovered a misconfigured AWS S3 bucket belonging to EpiSource, a service and software provider for healthcare payers and provider organizations. According to databreaches.net, EpiSource’s investigation confirmed that their AWS S3 bucket was encrypted but had been misconfigured, enabling researchers to bypass the encryption. Researchers gained access to files containing protected health information on approximately 500 patients from various payers or providers. EpiSource’s investigation revealed no evidence that anyone besides the researchers accessed the files. The NJCCIC recommends administrators of Amazon S3 storage buckets review our previousNJCCIC Cyber Alert on the risks associated with misconfigured S3 buckets, audit their security settings, and implement the mitigation strategies provided as soon as possible. Additionally, we recommend those whose health information may have been stored by EpiSource to monitor their credit and health insurance claims as the information exposed in this breach could be used by threat actors to conduct identity theft or file false insurance claims.