Unprotected MongoDB database exposes prescription information of over 78,000 US patients

• The open database has exposed the information on 391,649 prescriptions for a drug named Vascepa, and the personal details of over 78,000 patients who were prescribed Vascepa in the past.
• The exposed patient details include full names, addresses, phone numbers, and email addresses.

Researchers from vpnMentor, Noam Rotem and Ran Locar uncovered a MongoDB database that was left open to the public without any password protection.

What data was exposed?

The open database has exposed the information on 391,649 prescriptions for a drug named Vascepa, and the personal details of over 78,000 patients who were prescribed Vascepa in the past.

• The exposed patient details include full names, addresses, phone numbers, and email addresses.
• The exposed transaction details include the prescribing doctor, pharmacy ID, pharmacy name, pharmacy address, National Provider Identifier number, member ID, and NABP E-Profile Number.

What is Vascepa?

Vascepa is a drug used for lowering triglycerides (fats). This drug is prescribed for adults who are on a low-fat and low-cholesterol diet.

Who is the owner of the database?

The database contained id codes for two companies, Constant Contact, and PSKW.

“Notably, there are id codes for two other companies, Constant Contact, an email marketing platform and PSKW, the legal name for an electronic prescription program, ConntectiveRX,” researchers said in a blog.

The researchers who discovered the leaky database shared their findings with ZDNet to find the owner of the database and take it offline.

ZDNet contacted PSKW in order to find if the company owned the exposed database or to get any information about the possible source of the leaky database, however, they did not get any response. They also reached out to Amarin, the maker of the Vascepa drug, but did not hear back from the company.

“We suspect the database may belong to ConnectiveRX, given the consistency of the tags in the data. However, we only found data concerning Vascepa prescriptions, which makes it less clear where the leak originated,” researchers said.