PHI from Multiple Covered Entities Published on GitHub
MedData Inc. has confirmed that the protected health information of patients of several of its clients has been uploaded to the open-source software development hosting website GitHub, where it could have been accessed by unauthorized individuals.
The Spring, TX-based revenue cycle management services vendor assists healthcare providers and health plans by processing Medicaid eligibility, third-party liability, workers’ compensation, and patient billing. On December 10, 2020, MedData was notified by security researcher Jelle Ursem that some data of its data had been discovered on GitHub. Dissent Doe of Databreaches.net provided a link to the uploaded data on December 14, 2020, according to the MedData breach notice.
An investigation was immediately launched, and it was determined that one of its employees had saved files containing protected health information to personal folders on GitHub Arctic Code Vault between December 2018 and September 2019. MedData said the files were removed from GitHub on December 17, 2020.
The files contained names, addresses, dates of birth, Social Security numbers, diagnoses, medical conditions, claims information, dates of service, subscriber IDs, medical procedure codes, provider names, and health insurance policy numbers. MedData notified all covered entities on February 8, 2020, and affected individuals were notified on March 31, 2021. All individuals affected have been offered complimentary credit monitoring and identity protection services through IDX.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
To prevent similar breaches in the future, MedData has blocked the use of all file sharing websites, updated its internal data policies and procedures, implemented a security operations center, and deployed a managed detection and response solution.
The Department of Health and Human Services was notified about the breach on February 8, 2021, and the breach shows 135,908 individuals were affected. Covered entities that have confirmed they were affected include OSF HealthCare, UChicago Medicine, Aspirus, King’s Daughters’ Health System, SCL Health, University Medical Center Southern Nevada (1,833 records), University Health (2,704 records) and Memorial Hermann Health System (1,893 records).
While MedData has confirmed that the files have been deleted from GitHub, that does not necessarily mean that the information is now secured. The files were uploaded to the GitHub Arctic Code Vault, which is a public data repository used for long-term archiving of files. The storage facility was developed to securely store data for up to 1,000 years. The storage facility involved saving data to physical storage media – hardened film – which was shipped to the GitHub Arctic Code Vault, located in a coal mine in Svalbard, Norway.
The films contain a huge volume of data which was current up until February 2nd, 2020 when the archive was finalized. Since MedData had the files removed from GitHub on December 17, 2020, it is probable that some of the data has also been stored on film and sent to the archive. Med Data contacted GitHub and asked for the logs of the vault to determine if any of its data had been saved to the films and to arrange its removal, but it is unclear what happened after the request was made. “We do not know what transpired after that, although there had been some muttering that MedData might sue GitHub to get the logs,” explained Ursem and Doe in an April 1, 2020 report.
This is not the only GitHub data breach to be discovered by Jelle Ursem and Dissent Doe. They reported in August 2020 that the medical records of between 150,000 and 200,000 individuals had also been uploaded to GitHub and could have been accessed by anyone. A class action lawsuit was filed over the data breach, which was settled in 2024 for $7 million.
