Rotherwood Healthcare AWS bucket security fail left elderly patients' DNR choices freely readable online

Rotherwood Healthcare AWS bucket security fail left elderly patients' DNR choices freely readable online

Plus birth certificates, job interview data and more


A leak of 10,000 records at a Leicestershire care home provider exposed elderly patients' wishes not to be resuscitated, detailed care plans and precisely how much councils paid for individual patients' care.


Not only did Rotherwood Care Group, trading as Rotherwood Healthcare, leave an Amazon S3 bucket accessible to everyone on the internet, the company’s website privacy policy consisted solely of lorem ipsum placeholder text.


The leak came from an S3 bucket that was left unsecured. The Register was alerted to it by a security researcher who also informed his local branch of the GCHQ-sponsored Cyber Protect network.


When The Register contacted Rotherwood to ensure the open data was closed off prior to publication of this article, the company responded with lawyers' letters.


Rotherwood Healthcare's online privacy policy. It can be read here.



Lorem ipsum, sometimes known as lipsum, is default placeholder text used in design and publishing.


The unsecured S3 bucket appeared to be powering Rotherwood's internal system, a CRM-style software suite that looks to be used to capture and store essential data about staff and patients alike.


Around 10,000 individual files were left exposed in the bucket. Among those were internal care plan audits. Prepared for care home staff to assess whether care plans themselves were fit for use, these documents not only included patients’ full names and health conditions but also their “DNACPR” (resuscitation) choices.


Scans of what appeared to be staff members’ passports and birth certificates were also in the bucket, along with job interview questions and answers.


Emails from local councils confirming exactly ho ..