Two incidents of database misconfiguration caused data breaches that affected 90,000 patients. Health vendor Medico and Amarin Pharma’s databases were exposed to the public, risking patients’ protected health information (PHI).
Medico Healthcare Breach
UpGuard, a data breach research team, discovered the Medico healthcare breach and reported it to the vendor. Medico removed public access to the database within a few hours of discovery. Medica was using Amazon S3 bucket, a public cloud storage available on Amazon Web Services (AWS). The Medico healthcare breach exposed the PHI of 14,000 individuals. Information exposed included medical, personal, and financial data. Most of the exposed files were dated from 2018 and included 1.7GB of PDFs, spreadsheets, text files, and images.
UpGuard researchers stated, “When a third party such as this faces an exposure, the effects can be far reaching, and difficult to understand. But to the individual, the person whose data is contained in the exposed set, the consequences of exposure are the same: a breach of trust, a violation of privacy, and problems brought on by the very act of seeking and receiving help.”
The breached files outlined medical reports and records, insurance claims, insurance benefits, internal business data, and legal documents. PHI such as insurance information, banking details, Social security number, prescription details, and account names and default passwords, were contained in the leaked database.
Amarin Healthcare Breach
vpnMentor researchers discovered a database in June that contained information on patients taking the prescription Vascepa. In addition, a database holding transaction information was also exposed. The PHI of 78,000 patients was exposed in the healthcare breach. PHI exposed included contact information, patient names, pharmacy information, prescribing doctor, national provider identifier, and insurance details.
The misconfigured database was exposed for two months before its discovery. It is unclear whether or not the data was accessed or copied by unauthorized individuals within this time period. As a result of the healthcare breach, Amarin will not put the database back online until adequate safeguards are in place to secure their PHI in the future.
UpGuard commented on the healthcare breaches stating, “These misconfigurations occur due to poor operation processes that fail to account for the risk of data exposure, both in primary systems and in third party vendors. Only by proactively addressing these risks, building not just security, but risk mitigation, into data handling operations, can such errors and oversights be addressed in a timely enough way to prevent exposed data from being exploited.”
Need Help Addressing Cybersecurity?
Compliancy Group gives healthcare providers and vendors working in healthcare the tools to confidently address their HIPAA compliance in a simplified manner. Our cloud-based HIPAA compliance software, the Guard™, gives healthcare professionals everything they need to demonstrate their “good faith effort” towards HIPAA compliance.
To address HIPAA cybersecurity requirements, Compliancy Group works with IT and managed service provider (MSP) security partners from across the country, who can be contracted to handle your HIPAA cybersecurity protection.
Find out more about how Compliancy Group helps you simplify compliance and cybersecurity today!