PHI from A Number of Covered Entities Shared on GitHub

Med-Data Inc. has affirmed that the protected health information (PHI) of patients of a number of of its clients were published on GitHub, an open-source software creation hosting site. And unauthorized persons could have viewed the information.

The revenue cycle management services vendor located in Spring, TX provides support to healthcare providers and health plans by means of processing Medicaid qualification, third party liability, staff’ salaries and patient medical billing. On December 10, 2020, security researcher Jelle Ursem informed Med-Data regarding certain data found on GitHub. Med-Data’s breach notice mentioned that on December 14, 2020, Dissent Doe of gave a URL to the uploaded records.

An investigation was promptly started, and it was confirmed that one of its staff had copied files comprising PHI to private folders on GitHub Arctic Code Vault from December 2018 to September 2019. Med-Data explained that on December 17, 2020, the files were taken from GitHub.

The information found in the files included names, birth dates, Social Security numbers, addresses diagnoses, medical ailments, claims data, subscriber IDs, dates of service, medical procedure codes, name of provider, and health insurance policy numbers. Med-Data informed all covered entities on February 8, 2020 and dispatched notifications to affected people on March 31, 2021. All persons impacted got offers of free credit monitoring and identity protection services via IDX.

To avert the same breaches down the road, Med-Data has blacklisted the usage of all file sharing sites, made upgrades to its internal data guidelines and procedures, set up a security operations center, and integrated a managed detection and response service.

The Department of Health and Human Services was advised concerning the breach on February 8, 2021; nonetheless, the breach is till not mentioned on the OCR breach website, thus it is not clear how many people were affected. Covered entities that have stated they were impacted consist of UChicago Medicine, Aspirus, OSF Healthcare, SCL Health, Memorial Hermann Health System And King’s Daughters’ Health System.

Though Med-Data has affirmed that the files were removed from GitHub, that doesn’t automatically mean that the data is already safe. The information were loaded to the GitHub Arctic Code Vault, which is an open data repository employed for ongoing storage of data files. The storage service was made to safely save files for 1,000 years. The storage service needed the files to be stored to a physical storage media, a hardened film, which was sent to the GitHub Arctic Code Vault, based in a coal mine in Svalbard, Norway.

The films include a big volume of files which was up-to-date until February 2nd, 2020 the date the archive was completed. Considering that Med-Data had the records taken from GitHub on December 17, 2020, it is possible that much of the information was also kept on film and brought to the archive. Med Data got in touch with GitHub and inquired for the records of activity of the vault to know whether any of its records had been kept in the films and to schedule its removal, nevertheless it is uncertain what took place after sending the request. Nevertheless, there was unconfirmed information that MedData may possibly sue GitHub to acquire the logs.

Jelle Ursem and Dissent Doe also discovered other GitHub data breaches. In August 2020, they said that the healthcare records of about 150,000 to 200,000 persons were likewise loaded to GitHub and made viewable to anyone.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at