Researchers Say CVS Health Accidentally Exposed More than 1 Billion Records

Jeremiah Fowler with the WebsitePlanet research term recently shared that they discovered over 1 billion records from a non-password protected CVS Health Database.  The database was over 204 GB of data with 1,148,327,940 records.  It’s a stark reminder of how quickly millions and even billions of records can be exposed in this new online connected world.  I’m not sure we could even imagine what 1 billion paper charts would look like, but I digress.

Looks like these exposed records were mostly just the meta data that CVS Health was collecting on their site.  Things like visitor ID, session ID, device information, etc.  However, it did also include search queries that included things like emails that could be targeted in a phishing attack or other social engineering hack.  Plus, it could be cross referenced with other data to really expose an individual.

Maybe even more important, access to this meta data could provide a hacker with a better understanding of how the server/website is configured and how they could breach the system in other ways.  Hackers are getting much more sophisticated these days and often will breach a system and then use those learnings to execute phishing attacks or ransomware.

CVS Health offered the following statement about the exposure:

“In March of this year, a security researcher notified us of a publicly accessible database that contained non-identifiable CVS Health metadata.

We immediately investigated and determined that the database, which was hosted by a third party vendor, did not contain any personal information of our customers, members, or patients.

As the researcher’s report indicates, there was no risk to customers, members or patients, and we worked with the vendor to quickly take the database down.

We’ve addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter.

At the bottom of the CVS website is their privacy policy which says:

Security

We seek to use reasonable physical, technical, and administrative safeguards to protect personal information within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account with us has been compromised), please immediately contact us in accordance with the “Contact Information” section below. [emphasis added]

Mike Semel from Semel Consulting said, “This brings in consumer protection laws including the Federal Trade Commission Article 5 that prohibits fraudulent business practices, and the consumer protection laws – not the data breach laws – of most states.”  The key question here is if a lawyer could prove that CVS didn’t do everything ‘reasonable’ to secure the data base, or failed to control what a vendor did.

Credit goes to WebsitePlanet for the responsible disclosure so that CVS Health could deal with the situation before sharing it publicly, but whenever this happens you never know who might have taken advantage of the hole while it was open.  Not everyone discloses these types of issues responsibly.

The other big lesson in this incident is the reminder that your organization is responsible even if it’s a third party system that has the security issue.  CVS Health is responsible for the actions of the third party vendor that exposed all this data.  The same is true and possibly even more true for healthcare organizations.  This is why it’s essential that healthcare organizations not only have Business Associate agreements with their partners, but that they also have a plan for how they’re going to ensure that these BAs are actually doing what they’re saying and that they’re taking appropriate security precautions.

It’s scary how quickly and easily a billion records can be exposed today.

About the author

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

   

Categories