Despite the movement towards cloud computing, the involvement of a third-party is quite challenging when dealing with sensitive information. This article proposes a practical scheme for making possible to outsource medical data to fully malicious clouds while preserving privacy, resulting in a ready-to-go architecture based on hybrid encryption carried out at the client-side. Standard efficient cryptographic primitives are used to provide dynamic key management with no further assumptions about the data structure. We also encompass two-factor authentication to combine passwords with tokens generated by mobile devices, averting cumbersome smart cards or biometrics., The resulting framework is evaluated through a real-world cloud application, producing a full-featured prototype with a controllable shared access model not exploitable by any opponents.