Getty Images/iStockphoto

Patient Data from Multiple Providers Leaked in Third-Party GitHub Incident

A new report shows an employee of third-party vendor MedData uploaded troves of patient data from multiple providers onto the public data repository, GitHub Arctic Code Vault.

The patient data from multiple providers appears to have been captured and subsequently leaked on the data repository GitHub Arctic Code Vault by third-party vendor MedData, according to a new collaborative report from security researcher Jelle Ursem and Dissent Doe of DataBreaches.net.

MedData provides revenue cycle services to healthcare systems and hospitals, including Medicaid eligibility, third-party liability, workers’ compensation, and patient billing services.

The data was discovered on the Arctic Code Value, which is an open-source, public data repository in a long-term archival facility designed to last for up to 1,000 years. Through his research, Ursem detected troves of protected health information tied to a single developer.

The majority of the data appeared to be claims data, or Electronic Data Interchange (EDI), from multiple providers, which pointed to the data stemming from a third-party. A further analysis found the data belonged to a healthcare business associate, MedData.

MedData was notified of the incident in early December, but Ursem and Dissent did not receive a response until several weeks and multiple failed attempts later. The vendor was then provided links to the repositories leaking the PHI.

The databases were taken down on December 17. MedData recently released a notice that detailed the massive patient data breach, which involved information provided to the vendor for processing services.

The notice confirms MedData was contacted by Ursem and Dissent in early December, to notify the vendor that patient data tied to its clients had been uploaded to a public website.

An internal investigation was launched to validate the claims. Officials discovered that an employee had saved files to personal folders created on the GitHub repository between December 2018 and September 2019, during their employment.

Upon discovery, MedData removed the databases from the public site on December 17, 2020. Officials said they contracted with a third-party cybersecurity firm to review the files to identify the impacted PHI and patient contact information.

The impacted data included patient names combined with one or more data elements, such as subscriber ID,Social Security numbers, diagnoses, conditions, claims data, dates of services, medical procedure codes, insurance policy numbers, provider names, contact details, and dates of birth.

All affected patients will receive free credit monitoring and identity protection services.

The covered entities impacted by the event were notified on February 8, 2021, while the Department of Health and Human Services and patients were informed of the incident on March 31.

So far, at least five covered entities have issued their own breach notifications: King’s Daughters’ Health System, OSF HealthCare, Aspirus, UChicago Medicine, and Memorial Hermann Health System.

According to the notices, MedData is continuing to work with outside security parties to confirm all data tied to the incident has been deleted and physically destroyed, as well as to determine if the data has been shared with anyone else.

UChicago notified patients that officials are reviewing the relationship with MedData to ensure the vendor’s security practices align with the health system’s.

This is the second report from Ursem and Dissent on GitHub repositories leaking patient data in the last six months. In August, they reported that at least nine GitHub repositories leveraging improper access controls leaked data from more than 150,000 to 200,000 patients. The data belonged to multiple providers.

The incidents highlight the importance of vendor management and the need to ensure security policies are aligned. Previous reports have shown about one-third of healthcare databases stored in the cloud, or even locally, are actively leaking data online.

What's worse, misconfigured databases can be hacked in about eight hours.

Healthcare entities should continue to assess relationships with business associates and other related vendors to safeguard against these types of data leaks, particularly in light of recent supply chain incidents.

Security researchers have stressed third-party relationships require constant scrutiny that begins during the contracting stage and ends with annual risk assessments. Strong business associate agreements not only help with HIPAA compliance, the contract can also outline what is permitted and required by entities when it comes to protecting the privacy and security of PHI.

Next Steps

Dig Deeper on Healthcare data breaches