A not-for-profit mental health and addiction services provider is suing Amazon following a hacking incident. According to the lawsuit docket, Florida-based SalusCare Inc. is suing Amazon and the hacker (who is given the name John Doe as their identity is unknown). The lawsuit, which a U.S. District Court judge in Fort Myers has granted, alleges that Amazon did not handle a cybersecurity incident properly. SalusCare specifically is suing Amazon to hand over audit logs that they previously refused to provide because the data was in an Amazon S3 bucket and have the courts order Amazon to permanently block the alleged hacker from access to the data in question.
The lawsuit states the following about the facts of the case: On March 16, roughly 85,000 plus patient records were breached. The cause was a phishing email that is believed to have originated with an unknown cybercriminal based in Ukraine. Once SalusCare contacted Amazon, which hosts the servers with the compromised data, Amazon suspended the bucket accounts. These accounts were created by the hacker to host the data, presumably indefinitely, or at least until it can be circulated on the Dark Web. The lawsuit alleges that Amazon did not indicate how long the bucket accounts would be frozen. Additionally, Amazon refused to provide audit logs when requested because, in Amazon’s view, SalusCare had no legal right to the data as it was on Amazon Web Services’ network.
SalusCare is filing this lawsuit using two legal statutes, the first being the Computer Fraud and Abuse Act, which “creates new Federal criminal offenses of (1) property theft by computer occurring as part of a scheme to defraud; (2) altering, damaging, or destroying information in, or preventing the authorized use of, a federal interest computer; and (3) trafficking in computer access passwords.” The second legal statute used in the lawsuit is the Computer Abuse and Recovery Act, Section 668.801, which is intended to “safeguard an owner, operator, or lessee of a protected computer used in the operation of a business from harm or loss caused by unauthorized access to such computer” and “safeguard an owner of information stored in a protected computer used in the operation of a business from harm or loss caused by unauthorized access to such computer.”
Featured image: Flickr / Chris Potter