The data were stored on an open and unsecured database that can be accessed by anyone.
More than 78,000 patients who use Vascepa, a prescription supplement that helps lower triglycerides, could have had their personal health information leaked, according to a report from vpnMentor.
Security researchers for vpnMentor, led by Noam Rotem and Ran Locar, discovered multiple sets of unsecured and unencrypted data regarding Vascepa. The data were found through an open and unsecured database called MongoDB, which can be accessed by anyone.
The team found full identifying information for the patients who take the medication and a second database with transaction information.
With the healthcare industry being at increased risk for data breaches, it is necessary for providers to ensure their databases are secure and encrypted to prevent leaks like this.
The researchers noted in the report that having access to a full list of cellphone numbers and email addresses is an invitation for attack.
The researchers found 391,649 purchase transactions for Vascepa.
The database could belong to ConnectiveRx, a company that helps commercialize and maximize the benefits of branded and specialty medications, according to the researchers.
The data contained identification codes for two other companies: Constant Contact, an email marketing platform, and PSKW, the legal name for ConnectiveRx.
The team suspects ConnectiveRx is the culprit due to the consistency of the tags in the data. But because the researchers only found data concerning Vascepa prescriptions, they said it is less clear where the leak originated.
Inside Digital Health™ made attempts to speak with representatives from vpnMentor, Vascepa and ConnectiveRx but could not reach anyone.
According to the research team, the leaked health data fall under the umbrella of information covered by the Health Insurance Portability and Accountability Act Privacy Rule. The rule states that patient information cannot be released with any identifiers unless agreed to by the patient.
Leaked medical history puts the patient’s privacy and security in jeopardy. And there can be major consequences if this information is shared without their consent. Medical history could be used as blackmail and lead to discrimination or conflicts.
The researchers said that basic security measures could have helped Vascepa prevent this data breach.
They provided several tips to prevent or patch a leak in a database, including:
Get the best insights in digital health directly to your inbox.