On Thursday, WebsitePlanet and researcher Jeremiah Fowler announced the discovery of an online CVS Health database. The database was not password protected and nothing was set in place to prevent illegal access, says ZDNet.
The researchers discovered nearly a billion documents linked to the US healthcare and pharmaceutical conglomerates, which includes brands such as CVS Pharmacy and Aetna.
The 204GB database contained event and configuration data such as production records of visitor IDs, session IDs, device access information (e.g., whether visitors to the company’s domains were using an iPhone or a handheld Android device), and what the team calls a “blueprint” for how the logging system worked from the back end.
Information regarding COVID -19 vaccinations and CVS Health has been posted
Queries for medicines, COVID -19 vaccinations, and a number of CVS articles were also uncovered. The report notes “Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails”.
The insecure database, the researchers said, could be exploited for targeted phishing by cross-referencing some of the emails stored in the system – most likely by accidentally typing them in the search bar – or for cross-referencing other actions. Competitors could also have been interested in the database query data created and stored in the system.
WebsitePlanet submitted a private disclosure notice to CVS Health and promptly received a response confirming that the data set belongs to the company. Strangely enough, CVS Health stated that the information was maintained on its behalf by an unknown vendor. However, public access was prohibited after the disclosure.
CVS Health told ZDNet that “In March of this year, a security researcher notified us of a publicly-accessible database that contained non-identifiable CVS Health metadata”.
“We immediately investigated and determined that the database, which was hosted by a third party vendor, did not contain any personal information of our customers, members, or patients. We worked with the vendor to quickly take the database down. We’ve addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter.”