CVS Health Faces Data Breach,1B Search Records Exposed

June 21, 2021 - More than 1 billion CVS Health search records were accidentally posted online in a data breach incident in late March by an unnamed third party vendor. Independent cybersecurity researcher Jerimiah Fowler discovered the breach and quickly alerted CVS and the database was taken offline on the same day.

The records contained search data from CVS.com and CVSHealth.com for both COVID-19 vaccines and medications. In most cases, the search data could not be linked to a specific person, Fowler told Forbes.

However, some people did enter their own email addresses in the search bar, likely mistaking the search bar for the place to enter login information. It is possible that this data could be traced back to an individual customer.

“Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails,” Fowler wrote on WebsitePlanet, the source that initially reported on the breach.

Fowler and the research team at WebsitePlanet discovered the database, which was not password-protected, on March 21st. Their findings uncovered CVS’ configuration settings and backend operations—information that could be used for phishing attacks if it were obtained by bad actors.  

“In March of this year, a security researcher notified us of a publicly accessible database that contained non-identifiable CVS Health metadata. We immediately investigated and determined that the database, which was hosted by a third party vendor, did not contain any personal information of our customers, members or patients,” said CVS Health in a public statement.

“We worked with the vendor to quickly take the database down. We’ve addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter.”

Even if no personal data was collected, a breach of this size can present legitimate risks to large organizations like CVS who track search data for analytics, marketing, and customer engagement purposes.

“The bad part about this finding was just how big it was,” Fowler told Forbes. “The number of records would time-out or break my browsing tool when I tried to get a total number of emails... In a small sampling of records there were emails from all major email providers.”

Fowler did not download the entire database due to ethical concerns. Because of this, it is unclear exactly how many CVS customers were impacted by the data breach.

In other data breach news, recent employee reports reveal that a May 31st cyberattack on the University of Florida Health Leesburg Hospital and The Villages Regional Hospital is now negatively impacting patient care.

The attack led to significant EHR downtime, and clinicians are now using pen and paper to document care. Without access to prescription information and history, there are concerns about misplaced lab reports and incorrect medication information.

In addition, a CaptureRx data breach impacted MetroHealth System in Cleveland, Ohio and at least 16 other healthcare organizations. Patient files were accessed without authorization, and birthdates, names, and prescription information were exposed.