[BreachExchange] 2 Misconfigured Databases Breach Sensitive Data of Nearly 90K Patients

Destry Winant destry at riskbasedsecurity.com
Thu Aug 8 10:00:08 EDT 2019


Health vendor Medico and Amarin Pharma recently reported data breaches
caused by misconfigured databases, which potentially exposed the data
of thousands of patients.

According to the UpGuard Data Breach Research Team, a misconfigured
database exposed 14,000 documents containing medical, personal, and
financial data from Medico, a healthcare billing and insurance data
processing vendor.

On June 20, the exposed Amazon S3 bucket was discovered, and UpGuard
contacted the vendor within the day. Public access to the database was
closed within hours.

“This quick response and action greatly helps the individuals whose
data is present in an exposure, and should serve as an example to any
organization facing a breach,” researchers wrote.

The database contained 1.7 GB of spreadsheets, PDFs, images, and text
files, outlining insurance benefits and claims, medical reports and
records, internal business data, and legal documents. Most of the
files were dated from 2018.

The researchers explained the data related to individuals whose
medical business was processed by Medico, including banking details,
insurance information, Social Security, and more personally
identifiable information, like prescription histories. The database
also included stored account names and default passwords.

“Every document had full personal details,” researchers wrote. “Some
included handwritten notes that had been scanned or faxed back into a
digital format. The types of individuals were varied, but included
groups like minors and veterans.”

“When a third party such as this faces an exposure, the effects can be
far reaching, and difficult to understand,” they added. “But to the
individual, the person whose data is contained in the exposed set, the
consequences of exposure are the same: a breach of trust, a violation
of privacy, and problems brought on by the very act of seeking and
receiving help.”

What’s more, UpGuard researchers discovered another misconfigured
database from Medico when investigating the initial leak.


Amarin Pharma recently confirmed a June 20 report from vpnMentor that
showed the full identifying information of about 78,000 patients was
exposed by a misconfigured database.

vpnMentor researchers discovered a MongoDB database containing
information related patients who take the prescription medication
Vascepa. A second database containing transaction information was also
left exposed.

The data included patient names, contact information, the prescribing
doctor, pharmacy information, insurance details, and the national
provider identifier.

On June 20, officials said they were contacted about the misconfigured
database by their third-party vendor that provides Amarin with copay
assistance programs through customer management services related to

The error left the sensitive patient information exposed for nearly
two months between May 2 and June 20. Data access or acquisition could
not be ruled out. The database has been secured, and Amarin officials
said the database will not be brought back online until appropriate
safeguards are implemented.

These two separate security incidents are just the latest in an
ongoing pattern of misconfigured databases in the healthcare sector.
Just last month, a DNA testing service vendor reported a years-long
consumer data breach due to a leaky database, while a December report
showed 30 percent of online health databases expose patient data.

For UpGuard, healthcare’s data exposure issue is not due to a lack of
awareness or “information that allows it to go unchecked.” Rather,
resources storing sensitive data have been misconfigured.

“These misconfigurations occur due to poor operation processes that
fail to account for the risk of data exposure, both in primary systems
and in third party vendors,” UpGuard researchers wrote. “Only by
proactively addressing these risks, building not just security, but
risk mitigation, into data handling operations, can such errors and
oversights be addressed in a timely enough way to prevent exposed data
from being exploited.”

“Furthermore, the laws and regulations holding healthcare entities
responsible must have teeth. They must be enforced, and the penalties
must make it so that companies are better off doing the right thing
than taking the chance of a breach and paying any penalties should
they come up,” they added.

More information about the BreachExchange mailing list