A MongoDB database was left open on the web with out a password, and by doing so, uncovered the private particulars and prescription info for greater than 78,000 US sufferers.
The leaky database was found by the safety workforce at vpnMentor, led by Noam Rotem and Ran Locar, who shared their findings completely with ZDNet earlier this week.
The database contained info on 391,649 prescriptions for a drug named Vascepa; used for reducing triglycerides (fat) in adults which might be on a low-fat and low-cholesterol food plan.
Moreover, the database additionally contained the collective info of over 78,000 sufferers who have been prescribed Vascepa previously.
Leaked info included affected person knowledge equivalent to full names, addresses, cellular phone numbers, and electronic mail addresses, but additionally prescription data equivalent to prescribing physician, pharmacy info, NPI quantity (Nationwide Supplier Identifier), NABP E-Profile Quantity (Nationwide Affiliation of Boards of Pharmacy), and extra.
According to the vpnMentor team, all of the prescription information have been tagged as originating from PSKW, the authorized identify for an organization that gives affected person and supplier messaging, co-pay, and help applications for healthcare organizations through a service named ConntectiveRX.
“We suspect the database could belong to ConnectiveRX, given the consistency of the tags within the knowledge,” the vpnMentor workforce mentioned. “Nevertheless, we solely discovered knowledge regarding Vascepa prescriptions, which makes it much less clear the place the leak originated.”
It might have been PSKW itself, or a companion, a check system, or knowledge that was presumably stolen from an unknown entity.
ZDNet reached out to PSKW looking for affirmation that the corporate owned the uncovered database or any extra details about the attainable supply/companion that could be the proprietor of the leaky DB, however we’ve got not heard again from the corporate.
ZDNet additionally reached out to Amarin, the maker of the Vascepa drug, additionally looking for assist in monitoring down the database proprietor or every other extra info, however Amarin didn’t return our electronic mail.
vpnMentor argues that whoever left that database open — could or not it’s PSKW or one in every of its companions — has violated HIPAA, and could also be in line for a hefty superb for failing to encrypt the affected person knowledge it had saved on the database server, a HIPAA golden rule. Nevertheless, Dissent, the administrator of DataBreaches.web, a web site devoted to monitoring knowledge breaches and HIPAA violations, instructed ZDNet that simply because a system shops medical info, it does not imply it is essentially lined by HIPAA. Till the database proprietor is discovered, no different conclusions might be drawn.