Report: Thousands of Pharmaceutical Records Leaked in Possible HIPAA Violation

vpnMentor's research team has discovered a leak in a database regarding the prescription medication Vascepa.

The research team, led by Noam Rotem and Ran Locar found several sets of unsecured and unencrypted data regarding Vascepa. Vascepa, a prescription supplement that helps lower triglycerides. The drug appears to be used by more than 78,000 patients.

The data includes full identifying information for the 78,000+ patients who take the medication. A second database with transaction information was also available.

The patient data includes patients' names, addresses, phone numbers, and email addresses. Additionally, we can access the transaction information that records the prescribing doctor, their NPI number, and the pharmacy's information.

We found the data through an improperly configured MongoDB database, which was left open and exposed to allow access by anyone on the internet. We believe the database could belong to ConnectiveRX several days after discovering the data. We then contacted them to alert them to the leak.

On June 18, we received a Twitter message from David Yakimischak, the CTO of ConnectiveRx. He wrote, "The database referenced in the recent media article is not a database that we maintain or even have access to.  We don’t use that database management system at all for any of our programs."

Examples of Entries in the Database

Vascepa is a prescription medication manufactured by Amarin. The drug, intended to help lower high triglycerides, is taken by more than 78,000 patients. Based on the database breach we found, we know there have been 390,000+ transactions of Vascepa.

The medication is unique in that it lowers triglycerides without raising a patient's LDL, or bad cholesterol. Vascepa stands out from other Omega-3 supplements in its lack of DHA, an Omega-3 fatty acid which has been shown to raise LDL. It is only available with a prescription.

Data Included in the Breach

Patient Information

• Full name
• Address
• Cell phone number
• Email address

Transaction Information

• Pharmacy ID
• Pharmacy Name
• Pharmacy Address
• Prescribing Doctor
• NPI number (National Provider Identifier)
• Member ID
• NABP E-Profile Number (National Association of Boards of Pharmacy)

We can see from the data above that patients' full identifying information is easily accessible in the database. With their name and address, it's easy to find a large amount of information about them. Notably, there are id codes for two other companies, Constant Contact, an email marketing platform and PSKW, the legal name for an electronic prescription program, ConntectiveRX.

We suspect the database may belong to ConnectiveRX, given the consistency of the tags in the data. However, we only found data concerning Vascepa prescriptions, which makes it less clear where the leak originated.

Having access to a full list of cell phone numbers and email addresses is an invitation for attack.

This second example comes from a second database. We have 391, 649 purchase transactions for Vascepa. The information stored under transactions includes all of the information about the pharmacies where the prescription was filled. This includes the e-profile number for the pharmacist, which tracks the prescriptions they fill, among other things.

Additionally, we have the full information for the prescriber. This includes their full name, the kind of medical license they hold, the address of their practice, and their NPI numbers.

Data Breach Impact

Health data like what leaked from the Vascepa database appears to fall under the umbrella of information covered by the HIPAA Privacy Rule. Under this rule, patient information, even in an associated industry, must not be released with any identifiers, unless agreed to by the patient themself.

Medical records are protected from public access to ensure the patient's privacy and security. There can be many severe consequences if medical history is shared without a person's consent. They can face discrimination from a job or find themselves in the middle of a family conflict. Many people might find their medical histories embarrassing. In some cases, medical history is used as blackmail. Keeping health data protected can keep patients safer in the long run.

As we see in the data above, having a patient's email address or phone number is an easy way to initiate a mass spam or malware attack.  Access to a patient’s private health information makes it easy to commit acts of fraud. In this case, we don't have a direct link between the patient and their prescriber, but that information could be used to mislead a patient if someone were to find it.

There is also a possibility that the doctor's information could be misused by someone who found it and understood the procedure for calling in and filling prescriptions. As e-prescribing becomes more popular, pharmacies have adopted multi-factor authentication to prevent prescription fraud, especially when it comes to controlled substances.

Data breaches in the health care industry are becoming increasingly common. Cybersecurity, therefore, is a pressing issue in all industries. The frequency with which health data leaks has led to the adoption of new security standards for healthcare companies working with online databases.

One of the main requirements is that all data stored in the database must be encrypted. This way, even if it leaks, the data should be unreadable. As we can see in Vascepa's case, there was no level of encryption protecting this sensitive information. HIPAA offers companies that work with virtual medical data a checklist for security compliance.

Healthcare companies that do suffer a data breach can face severe fines, depending on how much negligence they're guilty of. According to the HIPAA enforcement rule, even "a violation attributable to ignorance can attract a fine of $100 – $50,000" per violation.

These outcomes are a direct result of HIPAA enforcement. In the event of data leaks, companies may encounter not only financial penalties but also civil suits filed by the victims affected by the leaks. Two prevalent reasons for imposing fines involve the absence of adequate protection for patient records and the failure to implement suitable security measures to safeguard electronic records.

Advice from the Experts

Vascepa could have easily prevented a data breach of this sort with several basic security measures. The following tips are some basic steps to prevent or patch a leak in a database.

1. Secure your servers.
2. Implement proper access rules.
3. Never leave a system that doesn’t require authentication open to the internet.

For a more in-depth guide on how to protect your business, check out how to secure your website and online database from hackers.

How and Why We Discovered the Breach

We found this data leak as a part of our large-scale web mapping project. Ran and Noam scan ports looking for known IP blocks. Once they've discovered these blocks, they can use them to look for holes in a website's system.

When they find leaked data, they use several expert techniques to verify the database's identity. We then alert the company to the breach. If possible, we will also alert those affected by the breach. The purpose of the project is to help make the internet safer for all users.

About Us and Previous Reports

vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.

We recently discovered a huge data breach impacting 80 million US households. We also revealed that Gearbest experienced a massive data breach. You may also want to read our VPN Leak Report and Data Privacy Stats Report.

Please share this report on Facebook or tweet it.