Unsecured Databases Compromised the PHI Amarin and Medico Clients

An unsecured database online contains the personal data of individuals who exhibited an interest in Vascepa®, a cholesterol drug that Amarin Pharma manufactures.

The database contained information including complete names, telephone numbers, email addresses, home addresses, information on copay card for Vascepa® and medication information. It is maintained by a third-party service provider.

Amarin only knew about the security breach because of a media report regarding an unsecured database that contains Amarin clients information. Immediately, Amarin looked into the security breach and determined which was the compromised database. On the very same day, Amarin took action and deactivated the data feeds and secured the database.

According to the vendor’s examination of the incident, a misconfiguration led to the accessibility of the database online starting May 2, 2018 up to June 20, 2019.

The investigators also confirmed that the database was accessed without authorization by a third party starting May 29, 209 up to June 20, 2019. Someone may have copied certain information when the database was accessible.

Amarin and its third-party vendor are still looking into the incident. Additional safeguards to avoid unintentional data disclosures must be implemented and until such time the database is not yet available online.

vpnMentor stated that there were about 78,000 records of men and women in the database. Another database was compromised and it contains transaction data.

One more database became accessible online. According to UpGuard’s security researchers, it involved a database in an Amazon S3 bucket. The database kept approximately 14,000 files having personal, medical, and financial data. The database is owned by Medico, a billing and insurance data processing vendor.

The database contained files such as photos, PDF files, text files, spreadsheets, and documents. The compromised files have information such as names, contact data, medical data, and prescription details. insurance data, banking data, usernames, passwords, other personal data, and Social Security numbers Most of the data belong to patients who had doctor consultation in 2018.

UpGuard made the vendor aware of the unsecured Amazon S3 bucket. The vendor quickly took action and made the database and files secure. It is still unknown if someone else accessed the information before the UpGuard researchers discovered it.

About Christine Garcia 1303 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA