11 million
HealthNet Insurance, a top-five US healthcare insurance provider, has reported a massive data breach affecting approximately 11 million current and former members. The breach resulted from a misconfigured Amazon Web Services (AWS) S3 bucket, which exposed access keys that attackers used to access sensitive databases. The exposed data includes a treasure trove of Personally Identifiable Information (PII) and Protected Health Information (PHI), such as Social Security numbers, addresses, and detailed medical claims history. The incident, which went undetected for over three months, has prompted regulatory scrutiny from the Department of Health and Human Services (HHS) and multiple class-action lawsuits.
The breach was discovered on June 15, 2026, after HealthNet detected unusual activity in its cloud environment. However, the investigation revealed that the initial unauthorized access occurred much earlier, around March 3, 2026. This long dwell time gave the attackers ample opportunity to explore the network and exfiltrate data.
Attack Vector: The root cause was a fundamental cloud security failure. An AWS S3 bucket, configured for public access, contained highly sensitive credentials, including access keys for other production databases. This is a critical security anti-pattern. Attackers, likely using automated scanners, discovered this exposed bucket and used the keys to pivot into the company's core data stores.
Exposed Data: The breach is particularly severe due to the nature of the data exposed:
This incident is a classic example of a cloud misconfiguration leading to a catastrophic breach. The core failure was storing static, long-lived credentials (access keys) in an insecure location (a public S3 bucket). Modern cloud security best practices advocate for using temporary, role-based credentials (e.g., IAM Roles for EC2 instances) to avoid this exact scenario.
T1595.001 - Scanning IP Blocks - Attackers likely scanned AWS IP ranges for open S3 buckets.T1078.004 - Cloud Accounts - Attackers used the exposed access keys to authenticate to the cloud environment.T1580 - Cloud Infrastructure Discovery - After gaining access, attackers would have enumerated other resources and databases available to the compromised credentials.T1530 - Data from Cloud Storage Object - The attackers accessed and exfiltrated data from the sensitive databases.T1048 - Exfiltration Over Alternative Protocol - Data was likely transferred out of the AWS environment to an attacker-controlled server.The impact on the 11 million affected individuals is severe and long-lasting. The stolen data is a complete package for identity theft, sophisticated phishing attacks, and insurance fraud. The combination of PII and PHI is particularly potent and valuable on the dark web.
For HealthNet Insurance, the consequences are multifaceted:
Organizations should hunt for signs of similar cloud misconfigurations and breaches:
ListBuckets, GetBucketAcl, and GetObject API calls from unusual IP ranges or user agents.Block Public AccessCreateAccessKey or suspicious usage of existing keys from unexpected locations or services.Cloud API Monitoring to detect anomalous API calls, access from unusual locations, or attempts to access sensitive data.Properly configuring cloud services, such as disabling public access to S3 buckets, is fundamental to preventing this type of breach.
Avoiding the use of static, long-lived access keys in favor of temporary, role-based credentials (IAM Roles) is a critical best practice.
Continuously auditing cloud configurations using tools like CSPM can proactively identify and flag misconfigurations before they are exploited.
Implementing secret scanning in CI/CD pipelines and repositories prevents credentials from being stored in insecure locations in the first place.
Implement and enforce strict Cloud Storage Policies, specifically for AWS S3. The 'Block Public Access' setting should be enabled at the account level and enforced for all buckets that do not have an explicit, risk-assessed business requirement for public access. For HealthNet, this would have been the primary preventative control. Use AWS Service Control Policies (SCPs) to prevent developers from creating publicly accessible buckets. Regularly audit S3 policies using CSPM tools to ensure compliance and detect any configuration drift.
Abolish the use of long-lived static access keys for applications and services. Instead, leverage IAM Roles for service-to-service authentication within AWS. For example, an EC2 instance or Lambda function needing access to S3 should be assigned an IAM Role with the minimum required permissions. This provides temporary, automatically rotated credentials, eliminating the risk of static keys being exposed as they were in the HealthNet breach. Conduct a thorough analysis of all existing IAM policies and roles to ensure they adhere to the principle of least privilege.
Integrate automated secret scanning tools into the software development lifecycle. These tools should scan code repositories during pre-commit and CI/CD pipeline stages to detect and block any hardcoded credentials, such as the AWS access keys that caused the HealthNet breach. Additionally, perform retrospective scans of all existing S3 buckets and code repositories to find and remediate any exposed secrets that may already exist. This proactive measure prevents credentials from ever being stored in an insecure location.
Attackers gain initial unauthorized access to HealthNet's network via the misconfigured S3 bucket.
HealthNet Insurance detects unusual activity in its cloud data environment, discovering the breach.
HealthNet files a data breach notification, publicly disclosing the incident.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.