Misconfigured cloud storage bucket exposed Pfizer drug safety-related reports — researchers
For lo, these many years, DataBreaches.net has been reminding everyone that not all leaks or breaches involving medical or sensitive personal health information are covered by HIPAA. Today’s story is a reminder of that.
vpnMentor recently contacted DataBreaches.net about a leak their research team, led by Noam Rotem and Ran Locar, had discovered. The leak involved Pfizer, a well-known pharmaceutical firm. A misconfigured Google Cloud Storage bucket was exposing files involving reports of issues or concerns about Pfizer products such as Aromasin, Chantix, Depo-Medrol, Ibrance, Lyrica, Premarin, and Viagra.
The files appeared to be transcripts of recorded calls to an automated interactive voice service system Pfizer uses as part of it reporting obligations to the U.S. Drug Safety Unit (US DSU). In some transcripts, an actual representative was on the line/call after the call was escalated.
Transcribed calls revealed patients’ names, addresses, phone numbers, email addresses, the name of the medication they were calling about, and the nature of their problem or adverse effect. Not all calls were made directly by consumers or patients. Their doctors or providers could make the calls.
DataBreaches.net reviewed some of the transcribed files. Some of the calls described problems patients were having getting medication needed for the treatment of their cancer. One caller said they were calling to report a death. Another caller kept asking the automated system to get him to a person as it was an emergency involving an adverse reaction. And yet another caller was complaining about the difficulty in opening packaging. There was a wide range of issues and topics in what vpnMentor described as hundreds of files.
According to their report, vpnMentor researchers discovered the leak on July 9 and first attempted responsible disclosure via e-mail on July 13. Getting no response, they tried to contact Pfizer again on July 19 and then on July 22, using different email addresses each time. They also tried again on September 22.
When they finally did get a response from Pfizer (to their September 22 attempt), they report that Pfizer’s response included:
“From the URL you gave, I failed to see how it is important Pfizer data (or even an important data at all).”
vpnMentor then reportedly showed them some of the data they had found exposed.
“After this,” the researchers report, “they finally secured the bucket, but never replied to our messages again.”
DataBreaches.net asked vpnMentor exactly what email addresses they had sent their attempted disclosures to, and the position of the person who responded with the statement they quoted in their report. vpnMentor provided all the email addresses and the employee’s name and title.
Not HIPAA, and Pfizer Responds
When vpnMentor reached out to DataBreaches.net to share their findings, this site immediately raised the issue that this was likely not a HIPAA-covered situation, but that it was nevertheless a concerning issue that might trigger other reporting obligations.
DataBreaches.net turned to two experienced HIPAA lawyers to inquire as to whether HIPAA applied here. Both Jeff Drummond of JacksonWalker and Matthew R. Fisher of Mirick O’Connell responded that pharmaceutical companies generally are not covered by HIPAA, although they may have some specific programs that are.
Neither attorney was provided actual leaked files to examine, so their responses were based solely on a scenario summarized by DataBreaches.net. Drummond responded:
HIPAA applicability depends on meeting a “who” and a “what” test. The entity that’s acting must be a HIPAA covered entity or business associate, and the data involved must be PHI….. It’s hard to tell without more information that’s not likely directly connected to the entity involved here. Generally speaking, drug and device makers aren’t HIPAA covered entities: they aren’t healthcare providers per se, and to the extent you can convince yourself that they are, they don’t engage in HIPAA-covered transactions (because they don’t get paid by insurers electronically for providing care). So, HIPAA isn’t likely involved, at least as directly related to a leak from a drug manufacturer.
But that doesn’t let a drug maker totally off the hook for a leak, Drummond notes:
a pharmacueutical is “almost certainly subject to other privacy and data security obligations with respect to this data.”
When asked to expand on that, Drummond answered,
FDA requirements generally require drug and device manufacturers to track adverse events and gather that information, so it’s not surprising they’d be getting it. It is surprising that they are not protecting it. They probably have obligations under their research protocols, possibly under their Clinical Trial Agreements with the investigational sites (hospitals and physician offices who participate in clinical trials and post-trial surveillance), and very likely have obligations under the FDA’s Policy for Protection of Human Subjects in research and with the Institutional Review Boards that oversee their studies, and those obligations most likely require some sort of privacy protections and data security that they are likely failing to meet. But not likely HIPAA.
Fisher concurs, telling DataBreaches.net:
… if the information is going to the pharma company for its FDA reporting obligations, then even if patient information is present then it would be held in a capacity not covered by HIPAA….. Collection of drug safety information falls under FDA obligations (to my limited understanding) and even though patient related information will be collected, this is likely one of those instances where even though it walks like a duck and quacks like a duck, it isn’t a duck because of the circumstances.
He, too, notes that while HIPAA may not apply, state laws may:
Since HIPAA doesn’t apply to the pharma company in this instance, those laws may actually become more impactful because not pre-empted by HIPAA or granting a carve out related to HIPAA.
DataBreaches.net reached out to Pfizer to ask them whether the records in the misconfigured bucket were covered by HIPAA. Sally Beatty of Pfizer Media Relations sent the following statement:
Pfizer is aware that a small number of non-HIPAA data records on a vendor operated system used for feedback on existing medicines were inadvertently publicly available. We take privacy and product feedback extremely seriously. To that end, when we became aware of this event we ensured the vendor corrected the issue and notifications compliant with applicable laws will be sent to individuals.
Pfizer did not name the vendor, and because their statement does not seem wholly consistent with vpnMentor’s report of difficulty they experienced in attempting responsible disclosure, DataBreaches.net asked Pfizer to explain what appeared to be their lack of prompt response to responsible disclosure attempts. Pfizer’s response was:
“We take issue with your characterization and timeline and beyond that have no further comment.”