GitHub is an open-source software development hosting website, with millions of developers building and maintaining their software on the platform. In December of 2020, GitHub was notified by security researchers Jelle Ursem and Dissent Doe of, that some of the data of Med-Data, Inc. (MedData), had been uploaded to GitHub. MedData provides revenue cycle management services for hospitals and health systems throughout the United States. Recently, MedData confirmed that patient protected PHI had been uploaded to GitHub where it could have been accessed by anyone. More details about the unauthorized uploading of patient PHI are discussed below.

How Did Patient PHI End up on GitHub’s Website?

Patient PHI Breach

According to the security researchers’ investigation, patient files containing PHI were uploaded to GitHub and physical copies were sent to their Arctic Code Vault, which is a public data repository used for long term archiving of files. Ursem detected large quantities of MedData PHI in the supposedly secure vault – all tied to GitHub. 

When Ursem notified MedData of the PHI discovery on GitHub, MedData filed a breach report with the Office for Civil Rights of the Department of Health and Human Service (HHS). In the report, MedData indicated that some of its data had been discovered on GitHub.

MedData’s investigation revealed that a single employee had saved files containing protected health information to personal folders on GitHub between December 2018 and September 2019. MedData assured GitHub the files were removed from GitHub on December 17, 2020. However, it is possible that some of the patient PHI still remains in the vault.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

The patient PHI that was discovered includes patient names combined with one or more data elements, including:

  • Member ID numbers;
  • Diagnoses;
  • Conditions;
  • Dates of treatment;
  • Medical procedure codes;
  • Health insurance policy numbers; and
  • Provider names. 

All affected patients will receive free credit monitoring and identity protection services.

A number of covered entities use MedData’s revenue cycle management services. These include King’s daughter’s Health System, OSF HealthCare, Aspirus, University of Chicago Medicine, and Memorial Hermann Health Systems. Each of these covered entities has issued its own data breach notification. The notifications indicate that MedData is continuing to work with outside security parties to confirm that all data tied to the incident has been deleted and physically destroyed, as well as to determine whether the data has been shared with anyone else.

Not the First Time Patient PHI Was Discovered on GitHub

This data breach incident is not the first to involve GitHub. In August of 2020, the same researchers found that improper access controls left the PHI of approximately 200,000 patients exposed. The PHI was discovered in at least nine GitHub repositories.

Are you using HIPAA compliant tools?

Make sure you’re following all of the HIPAA rules.