CVS Health Records for 1.1 Billion Customers Exposed - silversurfer - 19 June 21
Quote:More than 1 billion records for CVS Health customers were left in the database of a third-party, unnamed vendor – exposed, unprotected, online. Researchers said the data points revealed could be strung together to create an extremely personal snapshot of someones’s medical situation.
The glitch is likely due to human error, security researcher Jeremiah Fowler said in a post on WebsitePlanet on Thursday: In other words, it’s probably yet another incidence of rampant misconfiguration that’s plaguing cloud-based storage, leading to exposure of sensitive data on an internal network.
According to Fowler’s post, researchers at WebsitePlanet – a portal for web developers and internet marketers – found the non-password-protected database, which had no form of authentication in place to prevent unauthorized entry, on March 21. They coordinated with Fowler in documenting their discovery and on that same day, after they contacted CVS Health, the naked database was closed off from public view.
CVS Health is the parent company behind multiple household brands, including the CVS Pharmacy retail pharmacy chain; CVS Caremark, a pharmacy benefits manager; and Aetna, a health insurance provider.
A CVS spokesperson confirmed the researchers’ findings, saying that CVS Health had been notified of the exposure of a publicly accessible database that contained non-identifiable CVS Health metadata. Upon investigation, they determined that the database was hosted by a third-party vendor, whose name the company didn’t disclose. The database didn’t contain any personally identifiable information (PII) of customers, members or patients, the company said in a statement, and the database was quickly taken down.
Read more: CVS Health Records for 1.1 Billion Customers Exposed | Threatpost
|