A MongoDB database was left open on the internet without a password, and by doing so, exposed the personal details and prescription information for more than 78,000 US patients.
The leaky database was discovered by the security team at vpnMentor, led by Noam Rotem and Ran Locar, who shared their findings exclusively with ZDNet earlier this week.
The database contained information on 391,649 prescriptions for a drug named Vascepa; used for lowering triglycerides (fats) in adults that are on a low-fat and low-cholesterol diet.
Additionally, the database also contained the collective information of over 78,000 patients who were prescribed Vascepa in the past.
Leaked information included patient data such as full names, addresses, cell phone numbers, and email addresses, but also prescription info such as prescribing doctor, pharmacy information, NPI number (National Provider Identifier), NABP E-Profile Number (National Association of Boards of Pharmacy), and more.
According to the vpnMentor team, all the prescription records were tagged as originating from PSKW, the legal name for a company that provides patient and provider messaging, co-pay, and assistance programs for healthcare organizations via a service named ConntectiveRX.
"We suspect the database may belong to ConnectiveRX, given the consistency of the tags in the data," the vpnMentor team said. "However, we only found data concerning Vascepa prescriptions, which makes it less clear where the leak originated."
It may have been PSKW itself, or a partner, a test system, or data that was possibly stolen from an unknown entity.
When we reached out to PSKW, the company denied owning any such database.
"The database referenced in the recent media article is not a database that we maintain or even have access to. We don't use that database management system at all for any of our programs," David Yakimischak, CTO at ConnectiveRx, told us via email
ZDNet also reached out to Amarin, the maker of the Vascepa drug, also seeking help in tracking down the database owner or any other additional information, but Amarin did not return our email.
vpnMentor argues that whoever left that database open -- may it be PSKW or one of its partners -- has violated HIPAA, and may be in line for a hefty fine for failing to encrypt the patient data it had stored on the database server, a HIPAA golden rule. However, Dissent, the administrator of DataBreaches.net, a website dedicated to tracking data breaches and HIPAA violations, told ZDNet that just because a system stores medical information, it doesn't mean it's necessarily covered by HIPAA. Until the database owner is found, no other conclusions can be drawn.
Article updated with comment from PSKW.