Unsecure Database Leak Could Put Thousands of Patients At Risk of Attack

More than 78,000 patients who use Vascepa, a prescription supplement that helps lower triglycerides, could have had their personal health information leaked, according to a report from vpnMentor.

Security researchers for vpnMentor, led by Noam Rotem and Ran Locar, discovered multiple sets of unsecured and unencrypted data regarding Vascepa. The data were found through an open and unsecured database called MongoDB, which can be accessed by anyone.

The team found full identifying information for the patients who take the medication and a second database with transaction information.

With the healthcare industry being at increased risk for data breaches, it is necessary for providers to ensure their databases are secure and encrypted to prevent leaks like this.

Identified Patient Data Includes:

• Patient’s full name
• Address
• Phone number
• Email address

The researchers noted in the report that having access to a full list of cellphone numbers and email addresses is an invitation for attack.

Transaction Information Includes:

• Prescribing doctor
• The doctor’s National Provider Identifier number
• Pharmacy name, address and identification
• National Association of Boards of Pharmacy e-profile number
• Member identification

The researchers found 391,649 purchase transactions for Vascepa.

Who Caused the Data Breach?

The database could belong to ConnectiveRx, a company that helps commercialize and maximize the benefits of branded and specialty medications, according to the researchers.

The data contained identification codes for two other companies: Constant Contact, an email marketing platform, and PSKW, the legal name for ConnectiveRx.

The team suspects ConnectiveRx is the culprit due to the consistency of the tags in the data. But because the researchers only found data concerning Vascepa prescriptions, they said it is less clear where the leak originated.

Inside Digital Health™ made attempts to speak with representatives from vpnMentor, Vascepa and ConnectiveRx but could not reach anyone.

What Does the Data Breach Mean?

According to the research team, the leaked health data fall under the umbrella of information covered by the Health Insurance Portability and Accountability Act Privacy Rule. The rule states that patient information cannot be released with any identifiers unless agreed to by the patient.

Leaked medical history puts the patient’s privacy and security in jeopardy. And there can be major consequences if this information is shared without their consent. Medical history could be used as blackmail and lead to discrimination or conflicts.

Patient’s information can also lead to unauthorized access to emails or spam and malware attacks.

How Healthcare Can Prevent a Similar Data Breach

The researchers said that basic security measures could have helped Vascepa prevent this data breach.

They provided several tips to prevent or patch a leak in a database, including:

• Secure your servers
• Implement proper access rules
• Never leave a system that doesn’t require authentication open to the internet

Get the best insights in digital health directly to your inbox.

Related

3 Trends Plaguing Healthcare Cybersecurity & How to Fight Them

Your MRI Is Hacked: Transfer $100K in Bitcoin, Please

How HHS Says Health Systems Can Manage Cybersecurity Threats