Systema Software, a provider of claims management software solutions, is investigating a breach that exposed the personal information of at least 1.5 million of its customers.
According to The Register, insurers using Systema Software allegedly posted the names, addresses, phone numbers, medical records, and other personal information in the clear to Amazon Web Services (AWS).
It is currently unclear how that information was posted, and the exact number of individuals affected by this breach remains uncertain.
The breach was spotted by technology enthusiast Chris Vickery, who has stated that much of the data appeared to concern Kansas residents and may have included the entire Kansas State Self Insurance Fund SIMS database, which contains sensitive personal information of approximately 1.1 million people.
Vickery has reported that data from the CSAC Express Insurance Authority (CSAC-EIA) was also exposed. Specifically, he was able to read the details of some 3 million payment transactions dating back to 1987.
Other databases that may have been affected by the breach include American All-Risk Loss Administrators (AARLA)/Risico, Millers Mutual Group, and Crosswalk Claims Management.
Systema Software has released the following statement in response to the breach:
“Systema Software recently became aware that a single individual gained unapproved access into our data storage system containing data belonging to certain Systema clients. In addition to communicating with Systema, this individual also self-reported this discovery to the proper authorities and impacted clients and is in the process of working with the Texas Attorney General to securely wipe all data from his hard drive. While our investigation is still ongoing, it is important to note that, based on our initial review, we have no indication that any data has been used inappropriately.”
The company went on to state that it has launched internal reviews of its servers, begun to notify affected organizations, and is currently working with a forensic IT firm.
Additionally, public access to the AWS subdomain where the information was first posted has since been revoked.
Systema Software marks the latest breach of medical data and joins the ranks of Anthem, Premera, and Excellus BlueCross BlueShield.