When Ursem notified MedData of the PHI discovery on GitHub, MedData filed a breach report with the Office for Civil Rights of the Department of Health and Human Service (HHS). In the report, MedData indicated that some of its data had been discovered on GitHub.
MedData’s investigation revealed that a single employee had saved files containing protected health information to personal folders on GitHub between December 2018 and September 2019. MedData assured GitHub the files were removed from GitHub on December 17, 2020. However, it is possible that some of the patient PHI still remains in the vault.