DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Amarin Pharma notifies patients of data leak discovered by vpnMentor

Posted on August 6, 2019 by Dissent

On June 20, vpnMentor reported on a leak they discovered involving data from patients interested in Vascepa.

Reading their report, it seemed that they could see that Vascepa figured prominently in the data but they do not mention whether they ever contacted Vascepa’s manufacturer, Amarin Pharma — or if not, why not.

On August 5, Amarin Pharma, Inc. notified California about a leak involving an unnamed vendor.  Amarin’s notification explains that:

The vendor is an independent company that supports Amarin’s copay assistance programs by providing customer relationship management services relating to Vascepa®. Amarin’s systems were not affected by this incident.

Amarin’s letter also makes clear that they first learned of the leak from media reports (but not from direct contact from vpnMentor):

On or around June 20, 2019, we became aware of media reports suggesting that a database containing information about consumers who use or have expressed interest in Vascepa® may have been subject to unauthorized access. Amarin promptly began investigating these reports and determined that the database in question was maintained by the vendor. Amarin promptly took steps to suspend active data feeds to the vendor’s database, and the vendor informed us that the database was taken offline on June 20, 2019.

Although Amarin’s notification does not indicate the number affected, it does report the window of possible access:

On July 11, 2019, the vendor informed us that due to a database misconfiguration, information could have been accessed without proper authorization between May 2, 2018, and June 20, 2019. The vendor further informed us that it identified evidence of unauthorized access to and acquisition of information from the database during the period May 29, 2019 to June 20, 2019, and that it could not conclusively determine that no unauthorized access or acquisition occurred outside this timeframe.

You can read Amarin Pharma’s full notification on the California Attorney General’s site.

DataBreaches.net reached out to Amarin Pharma with questions as to whether the vendor was actually a business associate under HIPAA and whether Amarin would be reporting the incident to HHS/OCR, but has received no response to two emails sent to their corporate PR email address. The inquiries also included asking them to confirm or deny that ConnectiveRx was the vendor involved (ConnectiveRx had denied vpnMentor’s published statements that they had thought ConnectiveRx might be the responsible vendor).

This post will be updated if or when a response from Amarin Pharma is received.

Related posts:

  • Operation Anti Security Breakdown and targets, the full time line
Category: Breach IncidentsCommentaries and AnalysesHealth DataSubcontractorU.S.

Post navigation

← People: Do NOT Call This Site About the AMCA Breach
With warshipping, hackers ship their exploits directly to their target’s mail room →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.