Meds prescriptions for 78,000 patients left in a database with no password

A MongoDB database was left open on the internet without a password, and by doing so, exposed the personal details and prescription information for more than 78,000 US patients.

The leaky database was discovered by the security team at vpnMentor, led by Noam Rotem and Ran Locar, who shared their findings exclusively with ZDNet earlier this week.

The database contained information on 391,649 prescriptions for a drug named Vascepa; used for lowering triglycerides (fats) in adults that are on a low-fat and low-cholesterol diet.

Additionally, the database also contained the collective information of over 78,000 patients who were prescribed Vascepa in the past.

Leaked information included patient data such as full names, addresses, cell phone numbers, and email addresses, but also prescription info such as prescribing doctor, pharmacy information, NPI number (National Provider Identifier), NABP E-Profile Number (National Association of Boards of Pharmacy), and more.

HIPAA leak screenshot
Image: vpnMentor

According to the vpnMentor team, all the prescription records were tagged as originating from PSKW, the legal name for a company that provides patient and provider messaging, co-pay, and assistance programs for healthcare organizations via a service named ConntectiveRX.

Source: Meds prescriptions for 78,000 patients left in a database with no password | ZDNet