Vascepa is a prescription drug from Amarin that is used to control high levels of triglycerides in the blood. On May 29, Amarin shares jumped by more than 10% following news that the FDA would prioritize its review of Vascepa labeling as a cardiovascular drug — which is expected to be favorable.
At around the same time, researchers from vpnMentor discovered two unprotected plaintext databases concerning the drug. The first contained the personal information of more than 78,000 Vascepa patients. The second contained details on more than 390,000 prescription transactions.
Regarding the leaked personal information, it included patients full names, mobile phone numbers, email addresses, and home addresses. Whereas, the transaction data included pharmacies names and addresses, pharmacy ID, prescribing doctor, prescribers medical license types, member ID, National Provider Identifier (NPI) number, and NABP (National Association of Boards of Pharmacy) E-Profile number.
Database Ownership Remained Undetermined:
Initial investigations regarding the unsecured database made researchers believe that it belonged to ConntectiveRX. Though, they couldn’t deduce firm results since the database only contained prescriptions for one drug only.
The vpnMentor researchers believed that the databases may belong to ConnectiveRX, a firm that says it “works with biopharmaceutical manufacturers to help commercialize and maximize the benefits of branded and specialty medications.” SecurityWeek has contacted ConnectiveRX for confirmation (or denial) of this.
ConnectiveRX responded to SecurityWeek, denying that the database belonged to the company. “The database referenced in the recent media article is not a database that we maintain or even have access to. We don’t use that database management system at all for any of our programs,” David Yakimischak, CTO at ConnectiveRx, said.
The researchers also explain that the databases are MongoDB databases, saying, “We found the unsecured data through MongoDB, which is an open and unsecured database that can be accessed by anyone.” MongoDB is not; although in this case the use of the database and its storage was unsecured.
Amazon has responded to such leaks by improving its security options ->for example with a ‘block public access’ feature. MongoDB has responded this week with the announcement of new client-side field-level encryption . Both features have the potential to eliminate exposed leaks — but both features retain one major drawback. They have to be used by the database owners or at least the data users who may be marketing staff with no knowledge of security who just need temporary storage for a large sub-set of data.