Big Pharma cyber flub: AstraZeneca blames 'user error' for patient data exposure

While the shadow of Merck & Co.’s NotPetya incident continues to hang over the pharma cybersecurity landscape, direct attacks are far from the only threat the industry faces. In fact, drugmakers have quietly suffered hundreds of thousands of smaller, albeit still risky, data breaches and exposures over the past several years.

Now, AstraZeneca is adding its name to that list.

“Due to a user error, some data records were temporarily available on a developer platform,” an AstraZeneca spokesperson told Fierce Pharma Friday. The company cut off access to the data “immediately” after learning about the exposure. “We are investigating the root cause as well as assessing our regulatory obligations,” the spokesperson said.

Specifically, credentials for an AstraZeneca internal server were left on the code sharing site GitHub in 2021, where they left sensitive patient data exposed for more than a year, TechCrunch first reported, citing comments from Mossab Hussein, chief security officer at cybersecurity startup SpiderSilk.

AZ did not respond to Fierce Pharma’s question about whether any of the patient data had been accessed or stolen.

Some of the data related to AZ&Me applications, TechCrunch reported. AZ&Me is an AstraZeneca prescription savings program that offers discounts to patients on the company’s medications.

“The protection of personal data is extremely important to us and we strive for the highest standards and compliance with all applicable rules and laws,” AstraZeneca’s spokesperson added in an email. 

User errors like the one behind AstraZeneca’s patient data dust-up are common among the industry, and companies are paying the price in the form of widespread cybersecurity vulnerabilities, digital risk protection company Constella Intelligence told Fierce Pharma earlier this year.

Looking at data from 20 top drugmakers between January 2018 and September 2021, Constella identified 9,030 breaches or leakages and more than 4.5 million exposed records linked to employee corporate credentials. These breaches exposed information such as email addresses, passwords, phone numbers and addresses as well as credit card and banking information.

Meanwhile, Merck’s NotPetya imbroglio lives in infamy for good reason. The New Jersey drugmaker was among a slate of global companies hit by the June 27, 2017, attack, which was ultimately linked to the Russian military. The attack hamstrung Merck’s in-house API production and affected its formulation and packaging systems as well as R&D and other operations.

The episode ended up costing Merck more than $1 billion and triggered an insurance fight over whether an "act of war" exclusion applied. Merck prevailed in that specific argument earlier this year.

More recently, breaches and attacks have hit Swiss pharma major Novartis as well as COVID-19 vaccine partners Pfizer and BioNTech.