On June 20, vpnMentor reported on a leak they discovered involving data from patients interested in Vascepa.
Reading their report, it seemed that they could see that Vascepa figured prominently in the data but they do not mention whether they ever contacted Vascepa’s manufacturer, Amarin Pharma — or if not, why not.
On August 5, Amarin Pharma, Inc. notified California about a leak involving an unnamed vendor. Amarin’s notification explains that:
The vendor is an independent company that supports Amarin’s copay assistance programs by providing customer relationship management services relating to Vascepa®. Amarin’s systems were not affected by this incident.
Amarin’s letter also makes clear that they first learned of the leak from media reports (but not from direct contact from vpnMentor):
On or around June 20, 2019, we became aware of media reports suggesting that a database containing information about consumers who use or have expressed interest in Vascepa® may have been subject to unauthorized access. Amarin promptly began investigating these reports and determined that the database in question was maintained by the vendor. Amarin promptly took steps to suspend active data feeds to the vendor’s database, and the vendor informed us that the database was taken offline on June 20, 2019.
Although Amarin’s notification does not indicate the number affected, it does report the window of possible access:
On July 11, 2019, the vendor informed us that due to a database misconfiguration, information could have been accessed without proper authorization between May 2, 2018, and June 20, 2019. The vendor further informed us that it identified evidence of unauthorized access to and acquisition of information from the database during the period May 29, 2019 to June 20, 2019, and that it could not conclusively determine that no unauthorized access or acquisition occurred outside this timeframe.
You can read Amarin Pharma’s full notification on the California Attorney General’s site.
DataBreaches.net reached out to Amarin Pharma with questions as to whether the vendor was actually a business associate under HIPAA and whether Amarin would be reporting the incident to HHS/OCR, but has received no response to two emails sent to their corporate PR email address. The inquiries also included asking them to confirm or deny that ConnectiveRx was the vendor involved (ConnectiveRx had denied vpnMentor’s published statements that they had thought ConnectiveRx might be the responsible vendor).
This post will be updated if or when a response from Amarin Pharma is received.