Researchers have found an unprotected database that publicly exposed thousands of medical prescriptions. The database leaked Vascepa prescriptions for over 78,000 patients. Moreover, it also leaked the personal details of these patients.
Vascepa Prescriptions Exposed Online
The vpnMentor hacktivist duo, Noam Rotem and Ran Locar, found another leaky database as they proceed with their web mapping project. This time, the unsecured database exposed patient data and medical prescriptions for a drug ‘Vascepa’. Vascepa is a supplement medication, manufactured by Amarin, for reducing triglycerides.
Specifically, the duo discovered an unsecured MongoDB that leaked Vascepa prescriptions for over 78,000 patients. Alongside prescriptions, the publicly accessible database also exposed personally identifiable information (PII) of the patients taking the drug. Moreover, the researchers could also a second database having information about transactions.
As stated in the vpnMentor blog post,
The data includes full identifying information for the 78,000+ patients who take the medication. A second database with transaction information was also available.
Regarding the leaked personal information, it included patients’ full names, mobile phone numbers, email addresses, and home addresses. Whereas, the transaction data included pharmacies’ names and addresses, pharmacy ID, prescribing doctor, prescribers’ medical license types, member ID, National Provider Identifier (NPI) number, and NABP (National Association of Boards of Pharmacy) E-Profile number.
Database Ownership Remained Undetermined
Initial investigations regarding the unsecured database made researchers believe that it belonged to ConntectiveRX. Though, they couldn’t deduce firm results since the database only contained prescriptions for one drug only.
We suspect the database may belong to ConnectiveRX, given the consistency of the tags in the data.
Nonetheless, ZDNet revealed that the firm denied the ownership. According to the statement by ConnectiveRx CTO, David Yakimischak,
The database referenced in the recent media article is not a database that we maintain or even have access to. We don’t use that database management system at all for any of our programs.
Thus, the identity of the database owner remains veiled.
Just before this report, the two researchers also highlighted data leakage through an open database belonging to XSocialMedia – a Facebook advertising agency. The incident also exposed medical information regarding US veterans.
Let us know your thoughts in the comments.