PHI from Several Covered Entities Posted on GitHub

Med-Data Inc., a revenue cycle management services vendor based in Spring, TX, has given confirmation that the protected health information (PHI) of patients of some of its clients were loaded to GitHub, an open-source software development hosting website. And unauthorized people could have accessed the information.

The company gives services to healthcare providers and health plans through processing Medicaid membership, third-party liability, employees’ compensation, and patient invoicing. On December 10, 2020, security researcher Jelle Ursem notified Med-Data concerning some data discovered on GitHub. Med-Data’s breach notice mentioned that on December 14, 2020, Dissent Doe of provided a hyperlink to the uploaded information.

An investigation quickly began, and it was established that one of its workers had saved files that contain protected health information to personal folders on GitHub Arctic Code Vault from December 2018 up to September 2019. Med-Data stated that on December 17, 2020, the files were deleted from GitHub.

The information contained in the files included names, dates of birth, addresses, Social Security numbers, diagnoses, medical conditions, claims details, subscriber IDs, dates of service, medical procedure codes, provider name, and health insurance policy numbers. Med-Data informed all covered entities on February 8, 2020 and sent notifications to affected persons on March 31, 2021. All people impacted received offers of complimentary credit monitoring and identity protection services through IDX.

To avoid other identical breaches from happening, Med-Data has stopped the use of all file sharing websites, made updates to its internal data policies and procedures, put in place a security operations center, and started a managed detection and response tool.

The Department of Health and Human Services was advised regarding the breach on February 8, 2021; nevertheless, the breach has yet to be posted on the OCR breach portal, therefore it is not clear how many persons were affected. Covered entities that have stated they were impacted were UChicago Medicine, OSF HealthCare, Aspirus, SCL Health, King’s Daughters’ Health System, and Memorial Hermann Health System.

Although Med-Data has affirmed that the files were deleted from GitHub, that does not actually mean that the information is now secured. The files were published to the GitHub Arctic Code Vault, which is a public data repository utilized for long-term archiving of files. The storage facility was designed to securely keep files for about 1,000 years. The storage solution required the data to be saved to a physical storage media, a hardened film, which was delivered to the GitHub Arctic Code Vault, situated in a coal mine in Svalbard, Norway.

The films consist of a large volume of information which was current up to February 2nd, 2020 the time the archive was made final. Because Med-Data had the data files removed from GitHub on December 17, 2020, it is likely that a number of the information were also stored on film and delivered to the archive. Med Data communicated with GitHub to request for the records of the vault to find out if any of its records had been put in the films and to program its removal, however it is uncertain what transpired after making the request. But there was unconfirmed news that MedData may well sue GitHub to obtain the logs.

Jelle Ursem and Dissent Doe also discovered other GitHub data breaches. In August 2020, they reported that the healthcare records of around 150,000 to 200,000 people were also uploaded to GitHub and made accessible to anyone.