Meds prescriptions for 78,000 patients left in a database with no password
A MongoDB database was left open on the internet without a password, and by doing so, exposed the personal details and prescription information for more than 78,000 US patients.
The leaky database was discovered by the security team at vpnMentor, led by Noam Rotem and Ran Locar, who shared their findings exclusively with ZDNet earlier this week.
The database contained information on 391,649 prescriptions for a drug named Vascepa; used for lowering triglycerides (fats) in adults that are on a low-fat and low-cholesterol diet.
Additionally, the database also contained the collective information of over 78,000 patients who were prescribed Vascepa in the past.
Leaked information included patient data such as full names, addresses, cell phone numbers, and email addresses, but also prescription info such as prescribing doctor, pharmacy information, NPI number (National Provider Identifier), NABP E-Profile Number (National Association of Boards of Pharmacy), and more.
According to the vpnMentor team, all the prescription records were tagged as originating from PSKW, the legal name for a company that provides patient and provider messaging, co-pay, and assistance programs for healthcare organizations via a service named ConntectiveRX.
“We suspect the database may belong to ConnectiveRX, given the consistency of the tags in the data,” the vpnMentor team said. “However, we only found data concerning Vascepa prescriptions, which makes it less clear where the leak originated.”
It may have been PSKW itself, or a partner, a test system, or data that was possibly stolen from an unknown entity.
ZDNet reached out to PSKW seeking confirmation that the company owned the exposed database or any additional information about the possible source/partner that may be the owner of the leaky DB, but we have not heard back from the company.
ZDNet also reached out to Amarin, the maker of the Vascepa drug, also seeking help in tracking down the database owner or any other additional information, but Amarin did not return our email.
vpnMentor argues that whoever left that database open — may it be PSKW or one of its partners — has violated HIPAA, and may be in line for a hefty fine for failing to encrypt the patient data it had stored on the database server, a HIPAA golden rule. However, Dissent, the administrator of DataBreaches.net, a website dedicated to tracking data breaches and HIPAA violations, told ZDNet that just because a system stores medical information, it doesn’t mean it’s necessarily covered by HIPAA. Until the database owner is found, no other conclusions can be drawn.