BreachExchange mailing list archives
2 Misconfigured Databases Breach Sensitive Data of Nearly 90K Patients
From: Destry Winant <destry () riskbasedsecurity com>
Date: Thu, 8 Aug 2019 09:00:08 -0500
https://healthitsecurity.com/news/2-misconfigured-databases-breach-sensitive-data-of-nearly-90k-patients Health vendor Medico and Amarin Pharma recently reported data breaches caused by misconfigured databases, which potentially exposed the data of thousands of patients. According to the UpGuard Data Breach Research Team, a misconfigured database exposed 14,000 documents containing medical, personal, and financial data from Medico, a healthcare billing and insurance data processing vendor. On June 20, the exposed Amazon S3 bucket was discovered, and UpGuard contacted the vendor within the day. Public access to the database was closed within hours. “This quick response and action greatly helps the individuals whose data is present in an exposure, and should serve as an example to any organization facing a breach,” researchers wrote. The database contained 1.7 GB of spreadsheets, PDFs, images, and text files, outlining insurance benefits and claims, medical reports and records, internal business data, and legal documents. Most of the files were dated from 2018. The researchers explained the data related to individuals whose medical business was processed by Medico, including banking details, insurance information, Social Security, and more personally identifiable information, like prescription histories. The database also included stored account names and default passwords. “Every document had full personal details,” researchers wrote. “Some included handwritten notes that had been scanned or faxed back into a digital format. The types of individuals were varied, but included groups like minors and veterans.” “When a third party such as this faces an exposure, the effects can be far reaching, and difficult to understand,” they added. “But to the individual, the person whose data is contained in the exposed set, the consequences of exposure are the same: a breach of trust, a violation of privacy, and problems brought on by the very act of seeking and receiving help.” What’s more, UpGuard researchers discovered another misconfigured database from Medico when investigating the initial leak. MISCONFIGURED DATABASE BREACHES AMARIN PHARMA DATA Amarin Pharma recently confirmed a June 20 report from vpnMentor that showed the full identifying information of about 78,000 patients was exposed by a misconfigured database. vpnMentor researchers discovered a MongoDB database containing information related patients who take the prescription medication Vascepa. A second database containing transaction information was also left exposed. The data included patient names, contact information, the prescribing doctor, pharmacy information, insurance details, and the national provider identifier. On June 20, officials said they were contacted about the misconfigured database by their third-party vendor that provides Amarin with copay assistance programs through customer management services related to Vascepa. The error left the sensitive patient information exposed for nearly two months between May 2 and June 20. Data access or acquisition could not be ruled out. The database has been secured, and Amarin officials said the database will not be brought back online until appropriate safeguards are implemented. These two separate security incidents are just the latest in an ongoing pattern of misconfigured databases in the healthcare sector. Just last month, a DNA testing service vendor reported a years-long consumer data breach due to a leaky database, while a December report showed 30 percent of online health databases expose patient data. For UpGuard, healthcare’s data exposure issue is not due to a lack of awareness or “information that allows it to go unchecked.” Rather, resources storing sensitive data have been misconfigured. “These misconfigurations occur due to poor operation processes that fail to account for the risk of data exposure, both in primary systems and in third party vendors,” UpGuard researchers wrote. “Only by proactively addressing these risks, building not just security, but risk mitigation, into data handling operations, can such errors and oversights be addressed in a timely enough way to prevent exposed data from being exploited.” “Furthermore, the laws and regulations holding healthcare entities responsible must have teeth. They must be enforced, and the penalties must make it so that companies are better off doing the right thing than taking the chance of a breach and paying any penalties should they come up,” they added. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- 2 Misconfigured Databases Breach Sensitive Data of Nearly 90K Patients Destry Winant (Aug 08)