Security Experts:

Data on Patients Taking Vascepa Prescription Medication Exposed

78,000 Patient Healthcare Records Exposed in Unsecured MongoDB Database

Vascepa is a prescription drug from Amarin that is used to control high levels of triglycerides (let's say, 'bad fat') in the blood. Since bad fat in the blood is also harmful to the heart, there is an obvious connection to cardiovascular issues. On May 29, Amarin shares jumped by more than 10% following news that the FDA would prioritize its review of Vascepa labeling as a cardiovascular drug -- which is expected to be favorable.

At around the same time, researchers from vpnMentor discovered two unprotected plaintext databases concerning the drug. The first contained the personal information of more than 78,000 Vascepa patients. The second contained details on more than 390,000 prescription transactions.

The patient data comprises full name, postal address, mobile phone number and email address. The transaction data includes the pharmacy name, address and the prescribing doctor. Although there is no direct correlation between the two databases. educated guesses could be made via geo-proximity. Apart from basic phishing threats via the personal data alone, this could leave the patients exposed to vishing (voice phishing) attacks from scammers pretending to be the patient's doctor or assistant.

The vpnMentor researchers believed that the databases may belong to ConnectiveRX, a firm that says it "works with biopharmaceutical manufacturers to help commercialize and maximize the benefits of branded and specialty medications." SecurityWeek has contacted ConnectiveRX for confirmation (or denial) of this. 

Update: ConnectiveRX responded to SecurityWeek, denying that the database belonged to the company. “The database referenced in the recent media article is not a database that we maintain or even have access to. We don’t use that database management system at all for any of our programs,” David Yakimischak, CTO at ConnectiveRx, said.

Regardless of who owns operates the databases, it will not absolve the primary owner of the data -- whether the pharmaceutical company or some other organization. "It is the responsibility of the owner of the data to ensure that all users of the data follow the rules, and they are culpable for exposure as a result of a 'trusted' third party messing up," explains Todd Peterson, IAM evangelist at One Identity.

The researchers also explain that the databases are MongoDB databases, saying, "We found the unsecured data through MongoDB, which is an open and unsecured database that can be accessed by anyone." MongoDB is not; although in this case the use of the database and its storage was unsecured. 

With the rise of the cloud -- especially with its low-cost storage -- unsecured databases have become common. Large-scale AWS, Elasticsearch and MongoDB databases have all been found over the last few years. In April 2019, Upguard found an unsecured AWS S3 bucket containing 146 gigabytes (540 million records) of Facebook-related records including account names, comments, likes, and Facebook IDs.

In November 2018, Hacken Proof discovered unsecured Elasticsearch databases containing personal data of 82 million U.S. users.  On February 25, 2019, researcher Bob Diachenko discovered an unsecured MongoDB instance of 800 million records including email addresses and phone numbers. 

Amazon has responded to such leaks by improving its security options -- for example with a 'block public access' feature. MongoDB has responded this week with the announcement of new client-side field-level encryption. Both features have the potential to eliminate exposed leaks -- but both features retain one major drawback. They have to be used by the database owners -- or at least the data users who may be marketing staff with no knowledge of security who just need temporary storage for a large sub-set of data.

It should be stressed that the providers -- whether database or storage -- are not themselves insecure. It is the configuration and use of them that can be insecure. For example, Davi Ottenheimer, VP of trust & digital ethics at MongoDB, told SecurityWeek, "MongoDB is not an open and unsecured database. For years, the company has provided education and options to ensure security configuration best practices are easily setup and deployed. Someone has to intentionally configure the database to be open."

Lack of security knowledge cuts no ice with Peterson. "This is just an example of bad security," he said. "Everyone knows better than to just leave sensitive data exposed, but some people still do it -- whether it's out of laziness, ignorance, or carelessness, it is entirely unacceptable. This is an egregious violation of every regulation imaginable because there was obviously no 'best effort' to do the right thing."

In the current Vascepa leak, somebody is most likely in non-compliance with HIPAA. A breach of unsecured protected health information affecting 500 or more people must be reported "without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach." At the time of writing, there is no analogous entry in HIPAA's breach reporting list -- although it may simply be too recent to have yet appeared

"The healthcare industry, more specifically the leading pharmacies," warns Robert Prigge, president at Jumio, "needs to ensure that these breached records don't become the tools used for account takeovers. Just how easy would it be for a fraudster to impersonate a breached patient and secure their prescriptions (including many controlled substances) online? Incredibly easy with outdated authentication methods. Pharmacies need to adopt more advanced digital identity verification and authentication technology to make sure that a patient's digital identity matches their physical identity after so many high-profile healthcare data breaches."

*Updated with statement from ConnectiveRx

Related: Feeling the Pulse of Cyber Security in Healthcare 

Related: Why Healthcare Security Matters 

Related: Quarter of Healthcare Organizations Hit by Ransomware in Past Year: Study 

Related: Healthcare Industry Can Go Beyond Compliance to Achieve Better Security

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.