The patient data from multiple providers appears to have been captured and subsequently leaked on the data repository GitHub Arctic Code Vault by third-party vendor MedData, according to a new collaborative report from security researcher Jelle Ursem and Dissent Doe of DataBreaches.net.
Through his research, Ursem detected troves of protected health information tied to a single developer… The databases were taken down on December 17. MedData recently released a notice that detailed the massive patient data breach, which involved information provided to the vendor for processing services… Officials discovered that an employee had saved files to personal folders created on the GitHub repository between December 2018 and September 2019, during their employment…
The impacted data included patient names combined with one or more data elements, such as subscriber ID,Social Security numbers, diagnoses, conditions, claims data, dates of services, medical procedure codes, insurance policy numbers, provider names, contact details, and dates of birth. All affected patients will receive free credit monitoring and identity protection services… This is the second report from Ursem and Dissent on GitHub repositories leaking patient data in the last six months. In August, they reported that at least nine GitHub repositories leveraging improper access controls leaked data from more than 150,000 to 200,000 patients. The data belonged to multiple providers.
The incidents highlight the importance of vendor management and the need to ensure security policies are aligned. Previous reports have shown about one-third of healthcare databases stored in the cloud, or even locally, are actively leaking data online. What’s worse, misconfigured databases can be hacked in about eight hours.
DataBreaches.net wonders what happened after Med-Data reached out to GitHub about the vault’s logs and removal of the code.
Did GitHub provide the logs? If so, what did they show? Is anyone’s Protected Health Information in GitHub’s Arctic Code Vault? And if so, what happens? Will GitHub remove it…? Or will code just be left there for researchers to explore in 1,000 years so they can wade through the personal and protected health information or other sensitive information of people who trusted others to protect their privacy?
In November, 2020, Ursem posed the question to GitHub on Twitter. They never replied.