Unsecured database exposed PII & prescriptions of 78,000 Vascepa users
News / Unsecured database exposed PII & prescription details of 78,000 Vascepa users
21 June 2019
Security researchers recently unearthed an unsecured and unencrypted MongoDB database that contained personally identifiable information (PII) of more than 78,000 patients in the United States who use a prescription drug named Vascepa that helps lower triglycerides in adults.
Researchers Noam Rotem and Ran Locar at vpnMentor, who discovered an unsecured and publicly accessible MongoDB database owned and managed by Florida-based ad agency xSocialMedia that stored almost 150,000 medical records earlier this week, have also discovered another unsecured MongoDB database that contains personally identifiable information of more than 78,000 US patients as well as their medical prescriptions.
The open, public-facing, unencrypted, and unsecured MongoDB database wad found containing personal information of over 78,000 US patients that included patients’ names, addresses, phone numbers, and email addresses.
The database also stored 391,649 prescriptions belonging to these patients as well as additional records such as name of the prescribing doctor, their NPI number (National Provider Identifier), the pharmacy’s information, and the NABP E-Profile Number (National Association of Boards of Pharmacy).
All the patients whose details were stored in the unsecured database used an FDA-approved prescription drug names Vascepa that helps lower triglycerides in the adult body without raising bad cholesterol.
According to vpmMentor researchers, while the consistency of the tags in the data points to the fact that the database could be owned and managed by ConnectiveRX, the fact that the database contains information only concerning Vascepa prescriptions makes it less clear where the leak originated.
Vascepa patients could have been exposed to privacy breach & blackmail
“There can be many severe consequences if medical history is shared without a person’s consent. They can face discrimination from a job or find themselves in the middle of a family conflict. Many people might find their medical histories embarrassing. In some cases, medical history is used as blackmail. Keeping health data protected can keep patients safer in the long run,” vpmMentor said.
“Unfortunately, this is yet another example of a breach of highly sensitive consumer data that occurred because of a simple security mistake. Leaving a database publicly accessible without even basic security such as password protection is inexcusable,” says Anurag Kahol, CTO at Bitglass.
“Once the owner of the database is identified, they will likely face penalties for violating HIPAA compliance regulations. Healthcare organizations must take the proper cloud security steps, including leveraging single sign-on (SSO), data loss prevention (DLP), along with visibility and control over sharing permissions, in order to secure their database, maintain compliance with regulations, and protect the sensitive consumer data that they have been entrusted with,” he adds.
Todd Peterson, IAM evangelist at One Identity, says: “This is just an example of bad security. Everyone knows better than to just leave sensitive data exposed, but some people still do it – whether it’s out of laziness, ignorance, or carelessness, it is entirely unacceptable. This is an egregious violation of every regulation imaginable because there was obviously no “best effort” to do the right thing.
“It seems a third-party was at fault, but it is the responsibility of the owner of the data to ensure that all users of the data follow the rules, and they are culpable for exposure as a result of a “trusted” third party messing up.
“Obviously, better access control in the form of simple password protection would have prevented this mistake. But more in depth practices such as access governance, data governance, and privileged access management would be wise for anyone holding such sensitive data.”
The discovery of the unsecured MongoDB database containing sensitive patient details is the second such incident to have occurred this week. On Wednesday, researchers Noam Rotem and Ran Locar discovered multiple unsecured databases managed by xSocialMedia that contained nearly 150,000 medical records that included “deeply personal medical testimonies, identifying information, and contact information for users”.
The researchers found vast troves of information in the databases such as first and last names, email addresses, physical addresses, phone numbers, IP addresses, circumstances of injuries and explanations about the injuries.