Patients’ PHI Compromised Due to Unsecured Amarin and Medico Database

A database that contains the personal data of people who were interested in Vascepa®, Amarin Pharma’s cholesterol drug, was exposed on the internet.

A third party vendor maintained the database, which contained data including full names, email addresses, addresses, phone numbers, interest in a copay card for Vascepa® and medications information.

Amarin discovered the breach through media reports about an exposed database that contains details of Amarin customers and promptly started an investigation. The company identified right away which database was exposed and took action to stop active data feeds and secured the database on the same day.

According to the vendor’s investigation, a misconfiguration of the database occurred so that it became accessible on the internet from May 2, 2018 up to June 20, 2019.

The vendor’s investigation also confirmed that a third party had unauthorized access to the database from May 29, 2019 to June 20, 2019, and copied some data during that time frame.

The breach is still being investigated by Amarin and its vendor. The database is not yet made accessible online because additional safeguards need to be implemented to avert any more unintentional disclosures.

As per vpnMentor, the records of roughly 78,000 people were found in the database. A second exposed database was discovered and it contained transaction information.

Database of Medico Exposed Online

Security researchers at UpGuard discovered the exposure of a database stored in an unprotected Amazon S3 bucket. The database contained approximately 14,000 documents with healthcare, personal and financial data. The database was associated with Medico, a vendor providing billing and insurance data processing.

The database contained spreadsheets, documents, text files, PDF files, and images, which were accessible. The files contained information such as names, contact details, banking details, insurance data, Social Security numbers, usernames, passwords, other personal information, medical data, and prescription data. Many of the data were from 2018.

UpGuard informed the vendor about the unsecured Amazon S3 bucket. The vendor secured the database and files promptly on the same day. It is not known if the information was accessed without authorization before the UpGuard researchers discovered the breach.