PHI from Multiple Covered Entities Published on GitHub

Med-Data Inc. has confirmed that the protected health information of patients of several of its clients has been uploaded to the open-source software development hosting website GitHub, where it could have been accessed by unauthorized individuals.

The Spring, TX-based revenue cycle management services vendor assists healthcare providers and health plans by processing Medicaid eligibility, third party liability, workers’ compensation and patient billing. On December 10, 2020, Med-Data was notified by security researcher Jelle Ursem that some data of its data had been discovered on GitHub. Dissent Doe of provided a link to the uploaded data on December 14, 2020, according to the Med-Data breach notice.

An investigation was immediately launched, and it was determined that one of its employees had saved files containing protected health information to personal folders on GitHub Arctic Code Vault between December 2018 and September 2019. Med-Data said the files were removed from GitHub on December 17, 2020.

The files contained names, addresses, dates of birth, Social Security numbers, diagnoses, medical conditions, claims information, dates of service, subscriber IDs, medical procedure codes, provider named, and health insurance policy numbers. Med-Data notified all covered entities on February 8, 2020 and affected individuals were notified on March 31, 2021. All individuals affected have been offered complimentary credit monitoring and identity protection services through IDX.

To prevent similar breaches in the future, Med-Data has blocked the use of all file sharing websites, updated its internal data policies and procedures, implemented a security operations center, and deployed a managed detection and response solution.

The Department of Health and Human Services was notified about the breach on February 8, 2021 and the breach shows 135,908 individuals were affected. Covered entities that have confirmed they were affected include OSF HealthCare, UChicago Medicine, Aspirus, King’s Daughters’ Health System, SCL Health, University Medical Center Southern Nevada (1,833 records), University Health (2,704 records) and Memorial Hermann Health System (1,893 records).

While Med-Data has confirmed that the files have been deleted from GitHub, that does not necessarily mean that the information is now secured. The files were uploaded to the GitHub Arctic Code Vault, which is a public data repository used for long term archiving of files. The storage facility was developed to securely store data for up to 1,000 years. The storage facility involved saving data to physical storage media – hardened film – which was shipped to the GitHub Arctic Code Vault, located in a coal mine in Svalbard, Norway.

The films contain a huge volume of data which was current up until February 2nd, 2020 when the archive was finalized. Since Med-Data had the files removed from GitHub on December 17, 2020, it is probable that some of the data has also been stored on film and sent to the archive. Med Data contacted GitHub and asked for the logs of the vault to determine if any of its data had been saved to the films and to arrange its removal, but it is unclear what happened after the request was made. “We do not know what transpired after that, although there had been some muttering that MedData might sue GitHub to get the logs,” explained Ursem and Doe in an April 1, 2020 report.

This is not the only GitHub data breach to be discovered by Jelle Ursem and Dissent Doe. They reported in August 2020 that the medical records of between 150,000 and 200,000 individuals had also been uploaded to GitHub and could have been accessed by anyone.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.