Did Patient Health Information Leak Into GitHub's Arctic Code Vault? (healthitsecurity.com) 25
HealthITSecurity writes:
The patient data from multiple providers appears to have been captured and subsequently leaked on the data repository GitHub Arctic Code Vault by third-party vendor MedData, according to a new collaborative report from security researcher Jelle Ursem and Dissent Doe of DataBreaches.net.
Through his research, Ursem detected troves of protected health information tied to a single developer... The databases were taken down on December 17. MedData recently released a notice that detailed the massive patient data breach, which involved information provided to the vendor for processing services... Officials discovered that an employee had saved files to personal folders created on the GitHub repository between December 2018 and September 2019, during their employment...
The impacted data included patient names combined with one or more data elements, such as subscriber ID,Social Security numbers, diagnoses, conditions, claims data, dates of services, medical procedure codes, insurance policy numbers, provider names, contact details, and dates of birth. All affected patients will receive free credit monitoring and identity protection services... This is the second report from Ursem and Dissent on GitHub repositories leaking patient data in the last six months. In August, they reported that at least nine GitHub repositories leveraging improper access controls leaked data from more than 150,000 to 200,000 patients. The data belonged to multiple providers.
The incidents highlight the importance of vendor management and the need to ensure security policies are aligned. Previous reports have shown about one-third of healthcare databases stored in the cloud, or even locally, are actively leaking data online. What's worse, misconfigured databases can be hacked in about eight hours.
DataBreaches.net wonders what happened after Med-Data reached out to GitHub about the vault's logs and removal of the code. Did GitHub provide the logs? If so, what did they show? Is anyone's Protected Health Information in GitHub's Arctic Code Vault? And if so, what happens? Will GitHub remove it...? Or will code just be left there for researchers to explore in 1,000 years so they can wade through the personal and protected health information or other sensitive information of people who trusted others to protect their privacy?
In November, 2020, Ursem posed the question to GitHub on Twitter. They never replied.
Through his research, Ursem detected troves of protected health information tied to a single developer... The databases were taken down on December 17. MedData recently released a notice that detailed the massive patient data breach, which involved information provided to the vendor for processing services... Officials discovered that an employee had saved files to personal folders created on the GitHub repository between December 2018 and September 2019, during their employment...
The impacted data included patient names combined with one or more data elements, such as subscriber ID,Social Security numbers, diagnoses, conditions, claims data, dates of services, medical procedure codes, insurance policy numbers, provider names, contact details, and dates of birth. All affected patients will receive free credit monitoring and identity protection services... This is the second report from Ursem and Dissent on GitHub repositories leaking patient data in the last six months. In August, they reported that at least nine GitHub repositories leveraging improper access controls leaked data from more than 150,000 to 200,000 patients. The data belonged to multiple providers.
The incidents highlight the importance of vendor management and the need to ensure security policies are aligned. Previous reports have shown about one-third of healthcare databases stored in the cloud, or even locally, are actively leaking data online. What's worse, misconfigured databases can be hacked in about eight hours.
DataBreaches.net wonders what happened after Med-Data reached out to GitHub about the vault's logs and removal of the code. Did GitHub provide the logs? If so, what did they show? Is anyone's Protected Health Information in GitHub's Arctic Code Vault? And if so, what happens? Will GitHub remove it...? Or will code just be left there for researchers to explore in 1,000 years so they can wade through the personal and protected health information or other sensitive information of people who trusted others to protect their privacy?
In November, 2020, Ursem posed the question to GitHub on Twitter. They never replied.
Secrets of the dead. (Score:2)
Did GitHub provide the logs? If so, what did they show? Is anyone's Protected Health Information in GitHub's Arctic Code Vault? And if so, what happens? Will GitHub remove it...? Or will code just be left there for researchers to explore in 1,000 years so they can wade through the personal and protected health information or other sensitive information of people who trusted others to protect their privacy?
Almost as bad as archaeologists looking through our poo.
GitHub... again (Score:1)
Since when was dropping every bit of code you have in a public repository (it is not secure), and clearly live data as well, ever a good idea.
credit monitoring (Score:5, Insightful)
We don't want that. We want genuine financial compensation that hurts your bottom line.
Re: (Score:2)
We don't want that. We want genuine financial compensation that hurts your bottom line.
If it hurt their bottom line, that would just get passed on to you in the form of increased healthcare costs or taxes.
Re: (Score:1)
Re: (Score:1)
Not a GitHub problem (Score:2)
In November, 2020, Ursem posed the question to GitHub on Twitter. They never replied.
OK the actual vendor who published all the private health data seems to get away with providing "credit monitoring".
And GitHub is somehow at fault for their service working exactly as it should? And not answering any random Twitter question? It's not GitHub's job to look into the stuff you publish openly and decide whether you should not have and remove it...
Re: (Score:2)
It actually is, if there's the risk of people putting PHI on there.
Re: (Score:3)
"(iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate."
If GitHub is letting covered entities use their services, they need BAAs and HIPPA-compliance. See https://www.law.cornell.edu/cf... [cornell.edu].
Re: (Score:2)
> If GitHub is letting covered entities use their services, they need BAAs and HIPPA-compliance
Only if they have an arrangement to store or process PHI.
If I walk out of the clinic and hand a chart to the guy mowing the lawn, that doesn't make the groundskeeping company a covered entity or a subcontractor with obligations.
It's moot, though, because Github is Microsoft which already does a ton with healthcare. And who knows what's on Github private.
Re: (Score:2)
No, it's the lack of the agreement but doing it anyways that's illegal. GitHub takes subscription fees to host content, and presumably this would be against the terms of that agreement for services, without the concomitant BAA.
Re: (Score:2)
You don't get a free pass because you don't advertise for hosting medical data. If you know you're doing it, and you know you don't have BAAs, you're breaking the law.
Re: (Score:2)
Re: (Score:2)
Being told is a good start.
Re: (Score:2)
If they knowingly allow it to remain and continue to host it, yes. You can't just say, "well I'm a content host and I know people are hosting PHI on my servers, but I don't have a specific BAA with them to store PHI, so it's okay they're storing PHI." That's how you pick up liability.
Won't matter (Score:2)
I reported a massive series of HIPPA violations from a former employer who knowingly handles PHI. The Office of Civil Liberties which handles those complaints refused to invesitgate, stating that they only investigate hospitals, not other covered entities. Therefore, my former employer continues, to this day, to make PHI publicly available, searchable on Google no less, despite my having reported it and the lack of business associate agreements with the various hospitals and doctors using their services.
Re: (Score:2)
Report it to the patients themselves.
Re: (Score:2)
The issue is that I didn't want to take possession of the records by making a copy myself. What I reported to the regulators was the URLs of the publicly available PHI. I also felt a bit wary of wading into contacting individuals, because I was made the designated fall guy. I tried to address it internally, making the entire staff aware of it, all the way up to the owner, every single week, for months on end. Finally, I submitted my resignation and filed a whistleblower complaint.
Re: (Score:2)
I tried to address it internally, making the entire staff aware of it, all the way up to the owner, every single week, for months on end. Finally, I submitted my resignation and filed a whistleblower complaint.
How does it feel knowing that none of that did any good whatsoever?
Re: (Score:2)
Par for the course. It was a lousy situation to be put into, with a large number of peoples' information plastered up for anyone to see And seeing myself being set up that way was not particularly endearing. Being given responsibility for the issue, but no authority or means to correct it, short of running my mouth, is a raw deal.
I'm out. My current employer doesn't ask me to break the law, which is a nice property in a job. (I don't work in intelligence, despite the signature, so breaking laws is not my j
Re: (Score:1)
Git hub is chock full of compromising stuff (Score:2)
Re: (Score:2)
companies have been hiring the cheapest programmers for 20 years now. Guys trained assembly line style often with little or no access to actual computers and paid $5 bucks an hour. They don't really understand what they're doing but are treated like they do. The result is they make a lot of mistakes and one of those mistakes is randomly putting things on git hub.
You're forgetting the important fact that they have no reason to care one way or the other.