CVS Health Records for 1.1 Billion Customers Exposed
A vendor exposed the records, which were accessible with no password or other authentication, likely because of a cloud-storage misconfiguration.
More than 1 billion records for CVS Health customers were left in the database of a third-party, unnamed vendor – exposed, unprotected, online. Researchers said the data points revealed could be strung together to create an extremely personal snapshot of someones’s medical situation.
The glitch is likely due to human error, security researcher Jeremiah Fowler said in a post on WebsitePlanet on Thursday: In other words, it’s probably yet another incidence of rampant misconfiguration that’s plaguing cloud-based storage, leading to exposure of sensitive data on an internal network.
According to Fowler’s post, researchers at WebsitePlanet – a portal for web developers and internet marketers – found the non-password-protected database, which had no form of authentication in place to prevent unauthorized entry, on March 21. They coordinated with Fowler in documenting their discovery and on that same day, after they contacted CVS Health, the naked database was closed off from public view.
CVS Health is the parent company behind multiple household brands, including the CVS Pharmacy retail pharmacy chain; CVS Caremark, a pharmacy benefits manager; and Aetna, a health insurance provider.
