A 2 TB database containing around 1.6 million clinical trial data was compromised online and accessible to anyone without a password. Cybersecurity researcher Jeremiah Fowler discovered the database and reported that it consists of 1,674,218 records. The compromised records include survey results in PDF format that contain sensitive personal and medical data.
The compromised information contained names, telephone numbers, email addresses, birth dates, vaccination details, present prescription drugs, patient notes, and medical conditions. In some instances, the notes contained doctors’ names, status of pregnancy, side effects of prior vaccines, and whether or not patients used birth control. The records are associated with persons throughout the United States. A study of some samples of the files identified no duplicates, though from that small sample Fowler cannot exclude the probability that people had signed up for different individual surveys.
Researcher Fowler from Security Discovery found that DM Clinical Research potentially owns the database, as indicated in its name and references. DM Clinical Research is a group of clinical investigator websites that connects patients to doctors to perform research for new and alternative drugs and offers clinical trials for treating particular patients.
After Fowler communicated his discoveries to DM Clinical Research, the database was made secure in 24 hours. According to Fowler, it is uncertain whether the breached database was under the direct management of DM Clinical Research or a third party. The length of time that the database was exposed on the web was also uncertain, not to mention the likelihood that someone else discovered or accessed it.
Although this incident is evidently a serious breach of sensitive personally identifiable information (PII), and the data in the database is also classified as protected health information (PHI) covered by the Health Insurance Portability and Accountability Act (HIPAA), this incident is not a reportable breach as per HIPAA.
HIPAA is only applicable to HIPAA-regulated entities and their business associates. HIPAA compliance is not a requirement for DM Clinical Research, because it is not covered by the definition of a HIPAA-regulated entity. It is not regarded as a business associate, because the details in the database seem to have been compiled from persons instead of a covered entity. Any condition for sending breach notifications is, therefore, dictated by state regulations, which can differ substantially from state to state.
There were calls from privacy supporters to extend HIPAA to include this gray area and be sure that people are informed about the breach and/or theft of their medical information, regardless of who gathers that data.