Clinical Trials Database Containing 1.6 Million Records Exposed Online
A database containing approximately 1.6 million clinical trial records has been exposed over the Internet and could be accessed without a password. The 2 TB database was found by cybersecurity researcher Jeremiah Fowler, who reports that the database contains 1,674,218 records, including PDF survey results that include sensitive personal and medical information.
The exposed data included names, phone numbers, email addresses, dates of birth, vaccination information, current medications, health conditions, and patient notes. In some cases, the notes included doctors’ names, pregnancy status, adverse reactions to previous vaccines, and whether individuals were on birth control. The records related to individuals across the United States. An analysis of a limited sample of the records found no duplicates, although from that limited sample Fowler could not rule out the possibility that individuals had enrolled in separate individual surveys.
Fowler, of the firm Security Discovery, identified DM Clinical Research as the potential owner from the name of the database and references within the database. DM Clinical Research is a network of clinical investigator sites that connects patients with physicians to conduct studies for new and alternative medications and provides clinical trials as a treatment option for certain patients.
Fowler reported his findings to DM Clinical Research, and the database was secured within 24 hours. Fowler said it is unclear if the exposed database was directly managed by DM Clinical Research or a third party. It is also unclear how long the database was exposed online or if the database was found and accessed by anyone else.
While this is clearly a major breach of sensitive personally identifiable information (PII), and the information in the database meets the definition of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA), this is unlikely to be a reportable breach under HIPAA.
HIPAA only applies to HIPAA-covered entities and business associates of those entities. DM Clinical Research falls outside of the definition of a HIPAA-covered entity and is unlikely to be considered a business associate, as the information in the database appears to have been collected directly from individuals rather than a covered entity. Any requirement for issuing notifications is therefore likely to be dictated by state laws, which can vary considerably from state to state.
There have been calls from privacy advocates to expand HIPAA to cover this gray area and ensure that individuals are notified about the exposure and/or theft of their health data, no matter who collects that information.
