PHI of Tens of Thousands of Patients Exposed Online Due to Database Misconfiguration

A database containing the personal information of individuals who had expressed an interest in Amarin Pharma’s cholesterol drug Vascepa® has been exposed online.

The database was maintained by third party vendor and contained information such as full names, addresses, telephone numbers, email addresses, medications, and interest in a copay card for Vascepa®.

Amarin learned of the breach via media reports of an exposed database containing information of Amarin customers and immediately launched an investigation. The company quickly determined which database had been exposed and took steps to suspend active data feeds and the database was secured the same day.

The vendor’s investigation revealed a database misconfiguration had occurred which rendered the database accessible online between May 2, 2018 and June 20, 2019.

An investigation by the vendor confirmed that the database had been subjected to unauthorized access by a third party between May 29, 2019 and June 20, 2019, and during that time data had been copied.

Amarin and its vendor are continuing to investigate the breach and the database will not be brought back online until additional safeguards have been implemented to prevent any further accidental disclosures.

According to vpnMentor, the database contained the records of approximately 78,000 individuals. A second database containing transaction information was also exposed.

Database of Billing and Insurance Data Processing Vendor Exposed Online

Another exposed database was discovered by security researchers at UpGuard. The database was stored in an unsecured Amazon S3 bucket and contained around 14,000 documents containing a range of medical, personal and financial information. The database was tracked to the billing and insurance data processing vendor Medico.

Spreadsheets, documents, PDF files, text files, and images were accessible through the database. Those files contained names, contact information, banking information, insurance information, Social Security numbers, usernames, passwords, prescription information, other personal and medical information. Most of the information dated from 2018.

UpGuard notified the vendor of the unsecured S3 bucket and the database and files were secured the same day. It is unclear whether the information had been subjected to unauthorized access prior to its discovery by UpGuard researchers.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.