Meds Prescriptions For 78,000 Patients Left In a Database With No Password

An anonymous reader quotes a report from ZDNet: A MongoDB database was left open on the internet without a password, and by doing so, exposed the personal details and prescription information for more than 78,000 U.S. patients. The database contained information on 391,649 prescriptions for a drug named Vascepa; used for lowering triglycerides (fats) in adults that are on a low-fat and low-cholesterol diet. Additionally, the database also contained the collective information of over 78,000 patients who were prescribed Vascepa in the past. Leaked information included patient data such as full names, addresses, cell phone numbers, and email addresses, but also prescription info such as prescribing doctor, pharmacy information, NPI number (National Provider Identifier), NABP E-Profile Number (National Association of Boards of Pharmacy), and more. According to vpnMentor, the company that left the database open may have violated HIPAA, and may be in line for a hefty fine for failing to encrypt the patient data it had stored on the database server, a HIPAA golden rule," the report adds. "However, Dissent, the administrator of DataBreaches.net, a website dedicated to tracking data breaches and HIPAA violations, told ZDNet that just because a system stores medical information, it doesn't mean it's necessarily covered by HIPAA. Until the database owner is found, no other conclusions can be drawn."

why is the DB port open like that?

[Joe_Dragon]

why is the DB port open like that?

Re:

[guruevi]

Default installation.

Default installation is open to public internet?

[Joe_Dragon]

Default installation is open to public internet?

Re:Default installation is open to public internet

[guruevi]

Depends on what you're hosting it on. If you're on a 'cloud' system like AWS or DigitalOcean without a firewall enabled, pretty much yes. MongoDB responds to 0.0.0.0 without a password. Many sysadmins don't know what 0.0.0.0 means and think that since it's not a valid IP it won't work.

Re:

[guruevi]

You're talking about AWS instances.

MongoDB (the application) is open by default:
https://www.theregister.co.uk/... [theregister.co.uk]

Appropriate name

[The Grim Reefer]

Not only was the database called Mongo, they also got Mongo [littlethings.com] to set it up.

Obligatory

[93 Escort Wagon]

MongoDB is web scale. It scales better than SQL databases because it doesn't waste cycles on complicated tasks such as joins, or security.

Re:

[UnknownSoldier]

Haha! That was priceless back in the day [youtube.com] and still cracks me up.

Re:

[Aighearach]

No, lots of people don't have healthcare.

Also some people just pay their bills on a debit card with no insurance and they're in less of the databases.

A lot of medical services give a discount if you pay the full amount at time of service.

Re:

[Chris Mattern]

You're right about handling stolen property, but HIPAA is funny. It only applies to "covered entities". According to Health and Human Services's website (https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html) a covered entity is a health care provider, a health plan, or a health care clearinghouse Other parties that hold private medical information (like, say, a drug manufacturer) are not liable under HIPAA for revealing that information. So until we know who owned the database, we can

Mongo users

[reanjr]

If you use Mongo, you probably aren't the type of developer who gets worried about security.

78000 people??

[CrimsonAvenger]

Wow, that's pretty near 0.024% of the US population!

It's outrageous, I tell you!