Billions of CVS patient records exposed due to “cloud storage misconfiguration”
06/22/2021 // Ethan Huff // Views

More than one billion customer records at CVS Health were released to the public due to what experts believe was an accidental "cloud storage misconfiguration."

Once again highlighting the serious risks involved with electronic medical records, a vendor of CVS Health apparently uploaded the records into the system without creating any type of password or authentication firewall, effectively exposing them all to the world.

Researchers say that the data points can easily be strung together to create an "extremely personal snapshot of someone's medical situation. CVS Health is now on the hook for this massive breach of private medical records.

In a blog post, security researcher Jeremiah Fowler blamed "human error" for the breach, though Threat Post's Lisa Vaas says this is just the latest in a long line of "rampant misconfiguration that's plaguing cloud-based storage, leading to exposure of sensitive data on an internal network."

Researchers from WebsitePlanet apparently found the non-password-protected database, which had no authentication in place whatsoever. This discovery occurred on March 21.

These same researchers coordinated with Fowler on the same day before contacting CVS Health to report it. The naked database was then closed off from public view while the situation was investigated further.

How will CVS Health make things right for its customers?

A CVS spokesperson confirmed the findings, indicating that CVS Health had, in fact, been notified of the exposure of a publicly accessible database that contained "non-identifiable CVS Health metadata."


CVS Health, by the way, is the parent company of the well-known CVS Pharmacy retail chain, as well as CVS Caremark, a pharmacy benefits manager, and Aetna, a health insurance provider.

It was determined upon investigation that the breached database was hosted by a third-party vendor, which CVS Health has refused to publicly name. The company insists that no personally identifiable information (PII) of customers was in the database.

Fowler, however, says that there was plenty of information in the database to piece together customers' PII, including their personal email addresses.

In total, there was 204 gigabytes (GB) worth of data on the server, which covers more than 1.1 billion records.

"They were labeled 'production' and included information typed into search bars, such as the data types add to cart, configuration, dashboard, index-pattern, more refinements, order, remove from cart, search, server," Vaas says.

The records also exposed fields containing Visitor ID, Session ID, and device information including whether customers were using an iPhone or an Android, or a desktop PC versus an iPad.

Stringing this data together to produce personalized information is easier than CVS Health is letting on, it turns out. Customers could potentially be targeted by a phishing attack or even a social engineering experiment "potentially used to cross-reference other actions."

Interestingly, CVS was caught back in 2013 trying to bribe its customers into sharing their personal medical records to pad the company's bottom line through a questionable marketing scheme.

What CVS was doing was luring customers into enrolling in a program that offered cash prizes and other rewards on the condition that their medical privacy rights under HIPAA would be signed away, allowing CVS to do whatever it wanted with them.

Now, this information has conveniently been "leaked" by a CVS-contracted company in an apparent "accident" that cybersecurity experts say is common in misconfigured cloud computing systems.

"What options do we have for pursuing legal action?" asked one Threat Post commenter. "What fallout will there be for CVS?"

"This should not be treated as an 'oopsey,'" wrote another. "Someone needs to be held accountable for these types of egregious errors."

More related news about the susceptibility of electronic medical records to hacking and privacy breaches can be found at

Sources for this article include:

Take Action:
Support Natural News by linking to this article from your website.
Permalink to this article:
Embed article link:
Reprinting this article:
Non-commercial use is permitted with credit to (including a clickable link).
Please contact us for more information.
Free Email Alerts
Get independent news alerts on natural cures, food lab tests, cannabis medicine, science, robotics, drones, privacy and more.
App Store
Android App
eTrust Pro Certified

This site is part of the Natural News Network © 2022 All Rights Reserved. Privacy | Terms All content posted on this site is commentary or opinion and is protected under Free Speech. Truth Publishing International, LTD. is not responsible for content written by contributing authors. The information on this site is provided for educational and entertainment purposes only. It is not intended as a substitute for professional advice of any kind. Truth Publishing assumes no responsibility for the use or misuse of this material. Your use of this website indicates your agreement to these terms and those published here. All trademarks, registered trademarks and servicemarks mentioned on this site are the property of their respective owners.

This site uses cookies
Natural News uses cookies to improve your experience on our site. By using this site, you agree to our privacy policy.
Learn More
Get 100% real, uncensored news delivered straight to your inbox
You can unsubscribe at any time. Your email privacy is completely protected.