CVS Health Suffers Database Breach Leaving 1b Records Exposed Online

CVS Health suffered a massive database breach earlier this year, which saw more than 1 billion search records being posted online.

The WebsitePlanet research team in cooperation with security researcher Jeremiah Fowler discovered a non-password protected database that contained over 1 billion records. The researchers immediately advised CVS Health of the breach and the retail pharmacy giant took action. 

The database was 204 gigabyte in size and it contained 1,148,327,940 records. The leaked records contained a large number of searches on CVS.com and CVSHealth.com.

What the database contained

Among other things, the database contained: 

• Production records that exposed Visitor ID, Session ID, device information (ie: iPhone, Android, iPad etc.)
• A sampling search query revealed emails that could be targeted in a phishing attack for social engineering or potentially used to cross reference other actions.
• The files gave a clear understanding of configuration settings, where data is stored, and a blueprint of how the logging service operates from the backend.

“Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails,” the report says.

However, Fowler was quick to point out that the inclusion of email addresses in the database could have been the result of a repeated mistake by users who thought they were entering a username to log in, rather than using the search function.

“When reviewing the mobile version of the CVS site it is a possible theory that visitors may have believed they were logging into their account, but were really entering their email address into the search bar. The searches were formatted as ‘event type’ parameters and were set to ‘search’ and the email addresses are values for a parameter named ‘query’. This could explain how so many email addresses ended up in a database of product searches that was not intended to identify the visitor,” the report continues.

Fowler added: “The bad part about this finding was just how big it was. The number of records would time-out or break my browsing tool when I tried to get a total number of emails… In a small sampling of records there were emails from all major email providers.”

In response, CVS Health said the database did not contain customers’, members’ or patients’ personal information. “We were able to reach out to our vendor and they took immediate action to remove the database. Protecting the private information of our customers and our company is a high priority, and it is important to note that the database did not contain any personal information of our customers, members or patients.”

Security of information a headache for healthcare industry

Data breaches and the security of personal information continue to pose headaches for the healthcare industry. 

A 2019 report revealed that at least one in three healthcare organizations had suffered a data breach in 2018. The “2019 Thales Data Threat Report – Healthcare Edition” revealed that 70 percent of healthcare organizations surveyed had experienced a data breach at some point. The survey, which was conducted by Thales in conjunction with research analysis firm, IDC, said no other industry experienced as many breaches as healthcare.

Database configuration errors have also been blamed for data breaches.

In 2019, it was revealed that the personal health information of nearly 1 million University of Washington (UW) Medicine patients was available online for much of the previous December following a database configuration error.

UW Medicine said the files of about 974,000 patients were available online from December 4 through to December 26, when the misconfiguration was discovered somewhat fortuitously. The organization said a patient was conducting a Google search for their own name and found a file containing their information and reported to UW Medicine.

While such revelations can be unsettling, considering that the healthcare industry has been accused of not learning from past breaches, a June 2019 Integris Software survey found that 70 percent of mid- to large-size healthcare companies in the U.S. were confident in their ability to manage sensitive data, but half updated their inventory of such data once a year or less.

The 2019 HIMSS U.S. Leadership and Workforce Survey report also found that cybersecurity, privacy and security topped a list of priorities for healthcare workers and vendor organizations, an indication that attitudes may be changing, albeit slowly.

A different survey by Bitglass said there were 290 data breaches in the healthcare industry in 2018, a slight fall from 294 in 2017 and 324 the previous year, showing an improvement in the secure storage of information. However, there were more records breached — 11.5 million in 2018 compared from 4.7 million in 2017.