Hack Notice

Hack Notice: Misconfigured cloud storage bucket exposed Pfizer drug safety-related reports  researchers

Misconfigured cloud storage bucket exposed Pfizer drug safety-related reports  researchers

Source
https://www.databreaches.net/misconfigured-cloud-storage-bucket-exposed-pfizer-drug-safety-related-reports-researchers/
Description
For lo, these many years, DataBreaches.net has been reminding everyone that not all leaks or breaches involving medical or sensitive personal health information are covered by HIPAA. Today’s narrative is a reminder of that. vpnMentor recently contacted DataBreaches.net about a leak their research team, led by Noam Rotem and Ran Locar, had discovered. The leak involved Pfizer, a well-known pharmaceutical firm. a misconfigured Google cloud storehouse bucket was exposing files involving reports of issues or concerns about Pfizer products such as Aromasin, Chantix, Depo-Medrol, Ibrance, Lyrica, Premarin, and Viagra. The files appeared to be transcripts of recorded calls to an automated interactive sound service system Pfizer uses as voice of it reporting obligations to the U.S. Drug Safety Unit (US DSU). In some transcripts, an actual representative was on the line/call after the call was escalated. Transcribed calls revealed patients’ names, addresses, phone numbers, email addresses, the name of the medication they were calling about, and the nature of their problem or adverse effect. Not all calls were made directly by consumers or patients. Their doctors or providers could make the calls. DataBreaches.net reviewed some of the transcribed files. Some of the calls described problems patients were having getting medication needed for the treatment of their cancer. One caller said they were calling to account a death. Another caller kept asking the automated system to get him to a person as it was an emergency involving an adverse reaction. And yet another caller was complaining about the difficulty in opening packaging. There was a wide range of issues and topics in what vpnMentor described as hundreds of files. According to their report, vpnMentor researchers discovered the leak on July 9 and first attempted responsible revelation via email on July 13. Getting no response, they tried to contact Pfizer again on July 19 and then on July 22, using different email addresses each time. They also tried again on september 22. When they finally did get a response from Pfizer (to their September 22 attempt), they report that Pfizer’s response included: “From the URL you gave, i failed to see how it is important Pfizer data (or even an important data at all).” vpnMentor then reportedly showed them some of the data they had found exposed. “After this,” the researchers report, “they finally secured the bucket, but never replied to our messages again.” DataBreaches.net asked vpnMentor exactly what email addresses they had sent their attempted disclosures to, and the office of the someone who responded with the statement they quoted in their report. vpnMentor provided all the email addresses and the employee’s name and title. You can read vpnMentor’s full report on their site. Not HIPAA, and Pfizer Responds When vpnMentor reached out to DataBreaches.net to share their findings, this site immediately raised the issuing that this was likely not a HIPAA-covered situation, but that it was nevertheless a concerning issue that mightiness trigger other reporting obligations. DataBreaches.net turned to two experienced HIPAA lawyers to inquire as to whether HIPAA applied here. Both Jeff Drummond of JacksonWalker and Matthew R. Fisher of Mirick O’Connell responded that pharmaceutical companies generally are not covered by HIPAA, although they may make some specific programs that are. Neither attorney was provided actual leaked files to examine, so their responses were based solely on a scenario summarized by DataBreaches.net. Drummond responded: HIPAA applicability depends on meeting a “who” and a “what” test. The entity that’s acting must be a HIPAA covered entity or business associate, and the data involved must live PHI….. It’s hard to recount without more information that’s not likely directly connected to the entity involved here. Generally speaking, drug and device makers aren’t HIPAA covered entities: they aren’t healthcare providers per se, and to the extent you can convince yourself that they are, they don’t engage in HIPAA-covered transactions (because they don’t get paid by insurers electronically for providing care). So, HIPAA isn’t likely involved, at least as directly related to a leak from a drug manufacturer. But that doesn’t let a drug maker totally off the draw for a leak, Drummond notes: a pharmacueutical is “almost certainly case to other privateness and data security obligations with respect to this data.” When asked to expand on that, Drummond answered, FDA requirements generally ask drug and gimmick manufacturers to rails adverse events and gather that information, so it’s not surprising they’d be getting it. It is surprising that they are not protecting it. They probably have obligations under their research protocols, possibly under their Clinical Trial Agreements with the investigational sites (hospitals and physician offices who participate in clinical trials and post-trial surveillance), and very likely have obligations under the FDA’s Policy for Protection of human Subjects in research and with the Institutional brushup Boards that oversee their studies, and those obligations most likely require some sort of privateness protections and data certificate that they are likely failing to meet. But not likely HIPAA. fisher concurs, telling DataBreaches.net: … if the information is going to the pharma company for its FDA reporting obligations, then even if patient information is present then it would be held in a capacity not covered by HIPAA….. assembling of drug safety information falls under FDA obligations (to my limited understanding) and even though patient related info will be collected, this is likely ace of those instances where even though it walks like a hedge and quacks like a duck, it isnt a duck because of the circumstances. He, too, notes that while HIPAA may not apply, state laws may: Since HIPAA doesnt apply to the pharma companion in this instance, those laws may actually become more impactful because not pre-empted by HIPAA or granting a carve out related to HIPAA. DataBreaches.net reached out to Pfizer to ask them whether the records in the misconfigured bucket were covered by HIPAA. Sally Beatty of Pfizer Media Relations sent the following statement: Pfizer is aware that a small number of non-HIPAA data records on a vendor operated system used for feedback on […]

About HackNotice and Misconfigured cloud storage bucket exposed Pfizer drug safety-related reports  researchers

HackNotice is a service that notices trends and patterns in publically available data so as to identify possible data breaches, leaks, hacks, and other data incidents on behalf of our clients. HackNotice monitors data streams related to breaches, leaks, and hacks and Misconfigured cloud storage bucket exposed Pfizer drug safety-related reports  researchers was reported by one of those streams. HackNotice may also have the breach date, hack date, the hacker responsible, the hacked industry, the hacked location, and any other parts of the hack, breach, or leak that HackNotice can report on for the consumers of our product.

If you are a user of Misconfigured cloud storage bucket exposed Pfizer drug safety-related reports  researchers their products, services, websites, or applications and you were a client of HackNotice, monitoring for Misconfigured cloud storage bucket exposed Pfizer drug safety-related reports  researchers you may have been alerted to this report about Misconfigured cloud storage bucket exposed Pfizer drug safety-related reports  researchers . HackNotice is a service that provides data, information, and monitoring that helps our clients recover from and remediate data breaches, hacks, and leaks of their personal information. HackNotice provides a service that helps our clients know what to do about a hack, breach, or leak of their information.

If Misconfigured cloud storage bucket exposed Pfizer drug safety-related reports  researchers had a breach of consumer data or a data leak, then there may be additional actions that our clients should take to protect their digital identity. data breaches, hacks, and leaks often take to and cause identity theft, account submit overs, ransomware, spyware, extortion, and malware. account takeovers are often caused by credential reuse, password reuse, easily guessed passwords, and are facilitated by the sharing of billions of credentials and other customer info through data leaks, as the direct result of data breaches and hacks.

HackNotice monitors trends in publically available data that indicates tens of thousands of data breaches each year, along with billions of records from data leaks each year. On behalf of our clients, HackNotice works to monitor for hacks that take to depress node security and digital identities that have been exposed and should be considered vulnerable to attack. HackNotice workings with clients to identify the extent that digital identities get been exposed and provides remediation suggestions for how to handgrip each typecast of exposure.

HackNotice monitors the hacker community, which is a network of individuals that apportion data breaches, hacks, leaks, malware, spyware, ransomware, and many other tools that are often used for financial fraud, account take overs, and further breaches and hacks. HackNotice monitors the hacker community specifically for breaches, hacks, and data leaks that hurt consumers. HackNotice applies industry specific knowledge and advanced surety practices to monitor for trends that indicate breaches, hacks, and exposed digital identities.

HackNotice also enables clients to apportion nag notices with their friend, family, and collogues to assist growth awareness around alleged hacks, breaches, or data leaks. HackNotice workings to provide clients with sharable reports to assist increment the security of our clients personal network. The security of the people that our clients interact with directly impacts the raze of security of our clients. Increased exposure to accounts that experience been taken over by hackers leads to further account have overs through phishing, malware, and other attach techniques.

If you found this hack observation to be helpful, then you may be interested in reading some additional jade notices such as:

ith IT professionals to school them on best risk-reduction practices for both internal and externaliring safeguards to live put in shoes to protect the security and confidentiality of medical informatiata to rate data according to importance and yield break protection to more important data.

Weirs Furniture

Defacement http://sepb.gov.bf/o.htm

Defacement http://pa-singkawang.go.id/README.txt