PHI Compromised Because of Two Data Breaches at Amarin and Medico

A database that stored the private information of people who showed interest in a cholesterol drug manufactured by Amarin Pharma called Vascepa®, was left unsecured over the internet.

A third-party provider managed the database, which stored information such as full names, home addresses, email addresses, phone numbers, want a copay card for Vascepa® and medicines data.

Amarin found out about the breach when it was reported on media that an unprotected database containing the information of Amarin clients. Quickly, Amarin investigated the breach and identified which database was compromised right away. On the same day, Amarin took the required steps to deactivate data feeds and protect the database.

As per the vendor’s scrutiny, the database became accessible online because it was misconfigured beginning May 2, 2018 until June 20, 2019.

The unauthorized access of the database by a third party from May 29, 209 to June 20, 2019 was likewise confirmed. Some data may have been copied during that stretch of time.

Amarin and its vendor are still investigating the breach. Until now, the database has not been brought back online as the are further safeguards that ought to be put in place to keep other unintentional disclosures from happening.

According to vpnMentor, the database contained the records of about 78,000 men and women. There was a second database exposed, which stored transaction data.

Another database was exposed online. UpGuard’s security researchers learned that a database in an Amazon S3 bucket was exposed. The database stored roughly 14,000 files with personal, healthcare, and financial information. The database belongs to Medico, a vendor processing billing and insurance information.

The files contained in the compromised database included text files, spreadsheets, PDF files, documents, and photos. The compromised files stored information like names, contact information, insurance information, banking information, usernames, passwords, other private data, Social Security numbers, medical information, and prescription details. The majority of the information was from patients who consulted with a doctor in 2018.

UpGuard advised the vendor concerning the unprotected Amazon S3 bucket. The vendor took immediate action and secured the database including the files. It is not yet known whether access to the information occurred prior to the issuance of warning by UpGuard researchers.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone