GitHub is an open-source software development hosting website, with millions of developers building and maintaining their software on the platform. In December of 2020, GitHub was notified by security researchers Jelle Ursem and Dissent Doe of, that some of the data of Med-Data, Inc. (MedData), had been uploaded to GitHub. MedData provides revenue cycle management services for hospitals and health systems throughout the United States. Recently, MedData confirmed that patient protected PHI had been uploaded to GitHub where it could have been accessed by anyone. More details about the unauthorized uploading of patient PHI are discussed below.

How Did Patient PHI End up on GitHub’s Website?

Patient PHI Breach

According to the security researchers’ investigation, patient files containing PHI were uploaded to GitHub and physical copies were sent to their Arctic Code Vault, which is a public data repository used for long term archiving of files. Ursem detected large quantities of MedData PHI in the supposedly secure vault – all tied to GitHub. 

When Ursem notified MedData of the PHI discovery on GitHub, MedData filed a breach report with the Office for Civil Rights of the Department of Health and Human Service (HHS). In the report, MedData indicated that some of its data had been discovered on GitHub.

MedData’s investigation revealed that a single employee had saved files containing protected health information to personal folders on GitHub between December 2018 and September 2019. MedData assured GitHub the files were removed from GitHub on December 17, 2020. However, it is possible that some of the patient PHI still remains in the vault.

Let’s Simplify Compliance

Are your employees protecting PHI? Compliancy Group provides HIPAA training to prevent accidental breaches!

Learn More!
HIPAA Seal of Compliance

The patient PHI that was discovered includes patient names combined with one or more data elements,