More than 1B CVS Health records exposed in online database

Security researchers earlier this spring discovered a database containing more than a billion records, including emails that could be targeted in a phishing attack for social engineering.

The database, which was not password-protected, was flagged by the WebsitePlanet research team in cooperation with Jeremiah Fowler.

Public access to the data was restricted the same day that CVS Health was notified.  

“In March of this year, a security researcher notified us of a publicly accessible database that contained non-identifiable CVS Health metadata,” said CVS Health in a statement sent to Healthcare IT News.   

“We immediately investigated determined that the database, which was hosted by a third-party vendor, did not contain any personally identifiable information of our customers, members or patients,” according to the statement.

“We’ve addressed the issue with the vendor to prevent a recurrence we thank the researcher who notified us about this matter.”  


According to CVS Health, the metadata did not contain any personally identifiable information, there was no risk to patients, customers or members.

However, the researchers noted that the records contained email addresses – which could conceivably identify a person’s first or last name. They pointed out, for example, that a Google search for some of the exposed email addresses enabled them to identify the email’s operator.  

The records also contained a “visitor ID” “session ID.”  

“Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session then try to identify the customer using the exposed emails,” wrote Fowler in his blog post.

CVS Health did not respond to follow-up questions about this potential connection.  

Fowler says CVS Health told him that the emails were not from customer account records. Rather, they were entered into the search bar, which captures logs everything that is entered into the website’s search function, by visitors themselves – likely in a mistaken attempt to log in to their account using the wrong field.  

“This could explain how so many email addresses ended up in a database of product searches that was not intended to identify the visitor,” said Fowler.  

Fowler reiterated that email addresses for the visitor’s profile or shopping cart were not collected to this database, but that human error was at the heart of both the data exposure the accidental email address search bar entry.  

“The Visitor ID Session ID alone contained no identifiable data, only when combined with the email addresses could there have been any remote possibility to identify the user,” he said.   

Fowler also noted that any database exposure gives cybercriminals the opportunity to gain insight into potential vulnerabilities.

“We are not implying any wrongdoing by CVS Health, their contractors, or vendors. We are also not implying that customers, members, patients or website visitors were at risk. The theories expressed here are based on hypothetical possibilities of how this data could be used,” said Fowler.  


Accidental data exposure may not get as many attention-grabbing headlines as ransomware attacks, but it is certainly still cause for potential concern.  

Earlier this year, a Wyoming health department employee accidentally uploaded test results from more than a quarter of the state’s population to a public-facing website. 

And in 2018, a Blue Cross employee uploaded a file containing member information for 16,000 people to a public-facing website. The data remained visible for three months.   


“Cybercriminals nation states alike use complex methods to collect exploit the data they find,” Fowler wrote. “Often they use the same methods as legitimate security researchers to identify publicly exposed data.  

“While we work daily to protect the data, we discover there are cybercriminals looking to exploit the data for nefarious purposes,” he added. “Each record of information serves as a puzzle piece to provide a larger picture of an organization’s network or data storage methods.”


Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.

Source link