In the latest developments, CVS Health has faced a massive data leak where over 1billion records belonging to the health organization were found to be exposed online.
CVS Health massive database left exposed online:
CVS Health is a US-based healthcare organization that owns CVS Pharmacy, a retail pharmacy chain; CVS Caremark, a pharmacy benefits manager; Aetna, a health insurance provider, among many other brands.
What led to his revelation was the discovery made by security researcher Jeremiah Fowler in collaboration with WebsitePlanet where they found an online database pertaining to the records of CVS Health.
The hoard of such a massive database was found to be not password-protected and lacked any sort of authentication placed to prevent to avert or hinder unauthorized access.
Upon further investigation of the database, the team of security researchers found that it contains over a billion records were related to the healthcare organization.
The database, 204GB in size, contained event and configuration data including production records of visitor IDs, session IDs, device access information — such as whether visitors to the firm’s domains used an iPhone or Android handset — as well as what the team calls a “blueprint” of how the logging system operated from the backend.
Upon further inspection, it was also was observed that the database also exposed medical queries such as medications, COVID-19 vaccines, and a range of other CVS retail products.
“Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails,” the report states.
Security experts are of the opinion that such a massive and sensitive unsecured database can be exploited to use in targeted phishing attacks and other similar cyber attacks.
CVS notified and addressed:
CVS Health was promptly notified by the security organization regarding the discovery of the database and was quickly confirmed that the dataset, did, in fact, belong to the health giant.
According to CVS Health, the database was supervised and managed by a third-party, unnamed vendor on behalf of the form, and public access was restricted following the disclosure.
Following the incident, CVS Health addresses the massive database exposure, noting the following, “In March of this year, a security researcher notified us of a publicly-accessible database that contained non-identifiable CVS Health metadata.” “We immediately investigated and determined that the database, which was hosted by a third party vendor, did not contain any personal information of our customers, members, or patients. We worked with the vendor to quickly take the database down. We’ve addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter.” states CVS Health..