Data on Patients Taking Vascepa Prescription Medication Exposed
78,000 Patient Healthcare Records Exposed in Unsecured MongoDB Database
Vascepa is a prescription drug from Amarin that is used to control high levels of triglycerides (let’s say, ‘bad fat’) in the blood. Since bad fat in the blood is also harmful to the heart, there is an obvious connection to cardiovascular issues. On May 29, Amarin shares jumped by more than 10% following news that the FDA would prioritize its review of Vascepa labeling as a cardiovascular drug — which is expected to be favorable.
At around the same time, researchers from vpnMentor discovered two unprotected plaintext databases concerning the drug. The first contained the personal information of more than 78,000 Vascepa patients. The second contained details on more than 390,000 prescription transactions.
The patient data comprises full name, postal address, mobile phone number and email address. The transaction data includes the pharmacy name, address and the prescribing doctor. Although there is no direct correlation between the two databases. educated guesses could be made via geo-proximity. Apart from basic phishing threats via the personal data alone, this could leave the patients exposed to vishing (voice phishing) attacks from scammers pretending to be the patient’s doctor or assistant.
The vpnMentor researchers believe that the databases may belong to ConnectiveRX, a firm that says it “works with biopharmaceutical manufacturers to help commercialize and maximize the benefits of branded and specialty medications.” SecurityWeek has contacted ConnectiveRX for confirmation (or denial) of this. Any response received will be appended to this article.
If the databases are operated by ConnectiveRX (or a similar third-party), it will not absolve the primary owner of the data — whether the pharmaceutical company or some other organization. “It is the responsibility of the owner of the data to ensure that all users of the data follow the rules, and they are culpable for exposure as a result of a ‘trusted’ third party messing up,” explains Todd Peterson, IAM evangelist at One Identity.
The researchers also explain that the databases are MongoDB databases, saying, “We found the unsecured data through MongoDB, which is an open and unsecured database that can be accessed by anyone.” MongoDB is not; although in this case the use of the database and its storage was unsecured.
With the rise of the cloud — especially with its low-cost storage — unsecured databases have become common. Large-scale AWS, Elasticsearch and MongoDB databases have all been found over the last few years. In April 2019, Upguard found an unsecured AWS S3 bucket containing 146 gigabytes (540 million records) of Facebook-related records including account names, comments, likes, and Facebook IDs.
In November 2018, Hacken Proof discovered unsecured Elasticsearch databases containing personal data of 82 million U.S. users. On February 25, 2019, researcher Bob Diachenko discovered an unsecured MongoDB instance of 800 million records including email addresses and phone numbers.
Amazon has responded to such leaks by improving its security options — for example with a ‘block public access’ feature. MongoDB has responded this week with the announcement of new client-side field-level encryption. Both features have the potential to eliminate exposed leaks — but both features retain one major drawback. They have to be used by the database owners — or at least the data users who may be marketing staff with no knowledge of security who just need temporary storage for a large sub-set of data.
It should be stressed that the providers — whether database or storage — are not themselves insecure. It is the configuration and use of them that can be insecure. For example, Davi Ottenheimer, VP of trust & digital ethics at MongoDB, told SecurityWeek, “MongoDB is not an open and unsecured database. For years, the company has provided education and options to ensure security configuration best practices are easily setup and deployed. Someone has to intentionally configure the database to be open.”
Lack of security knowledge cuts no ice with Peterson. “This is just an example of bad security,” he said. “Everyone knows better than to just leave sensitive data exposed, but some people still do it — whether it’s out of laziness, ignorance, or carelessness, it is entirely unacceptable. This is an egregious violation of every regulation imaginable because there was obviously no ‘best effort’ to do the right thing.”
In the current Vascepa leak, somebody is most likely in non-compliance with HIPAA. A breach of unsecured protected health information affecting 500 or more people must be reported “without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.” At the time of writing, there is no analogous entry in HIPAA’s breach reporting list — although it may simply be too recent to have yet appeared
“The healthcare industry, more specifically the leading pharmacies,” warns Robert Prigge, president at Jumio, “needs to ensure that these breached records don’t become the tools used for account takeovers. Just how easy would it be for a fraudster to impersonate a breached patient and secure their prescriptions (including many controlled substances) online? Incredibly easy with outdated authentication methods. Pharmacies need to adopt more advanced digital identity verification and authentication technology to make sure that a patient’s digital identity matches their physical identity after so many high-profile healthcare data breaches.”
Related: Why Healthcare Security Matters