Once again highlighting the serious risks involved with electronic medical records, a vendor of CVS Health apparently uploaded the records into the system without creating any type of password or authentication firewall, effectively exposing them all to the world.
Researchers say that the data points can easily be strung together to create an “extremely personal snapshot of someone’s medical situation. CVS Health is now on the hook for this massive breach of private medical records.
In a blog post, security researcher Jeremiah Fowler blamed “human error” for the breach, though Threat Post‘s Lisa Vaas says this is just the latest in a long line of “rampant misconfiguration that’s plaguing cloud-based storage, leading to exposure of sensitive data on an internal network.”
Researchers from WebsitePlanet apparently found the non-password-protected database, which had no authentication in place whatsoever. This discovery occurred on March 21.
These same researchers coordinated with Fowler on the same day before contacting CVS Health to report it. The naked database was then closed off from public view while the situation was investigated further.
How will CVS Health make things right for its customers?
A CVS spokesperson confirmed the findings, indicating that CVS Health had, in fact, been notified of the exposure of a publicly accessible database that contained “non-identifiable CVS Health metadata.”
CVS Health, by the way, is the parent company of the well-known CVS Pharmacy retail chain, as well as CVS Caremark, a pharmacy benefits manager, and Aetna, a health insurance provider.
It was determined upon investigation that the breached database was hosted by a third-party vendor, which CVS Health has refused to publicly name. The company insists that no personally identifiable information (PII) of customers was in the database.
Fowler, however, says that there was plenty of information in the database to piece together customers’ PII, including their personal email addresses.
In total, there was 204 gigabytes (GB) worth of data on the server, which covers more than 1.1 billion records.
“They were labeled ‘production’ and included information typed into search bars, such as the data types add to cart, configuration, dashboard, index-pattern, more refinements, order, remove from cart, search, server,” Vaas says.
The records also exposed fields containing Visitor ID, Session ID, and device information including whether customers were using an iPhone or an Android, or a desktop PC versus an iPad.
Stringing this data together to produce personalized information is easier than CVS Health is letting on, it turns out. Customers could potentially be targeted by a phishing attack or even a social engineering experiment “potentially used to cross-reference other actions.”
Interestingly, CVS was caught back in 2013 trying to bribe its customers into sharing their personal medical records to pad the company’s bottom line through a questionable marketing scheme.
What CVS was doing was luring customers into enrolling in a program that offered cash prizes and other rewards on the condition that their medical privacy rights under HIPAA would be signed away, allowing CVS to do whatever it wanted with them.
Now, this information has conveniently been “leaked” by a CVS-contracted company in an apparent “accident” that cybersecurity experts say is common in misconfigured cloud computing systems.
“What options do we have for pursuing legal action?” asked one Threat Post commenter. “What fallout will there be for CVS?”
“This should not be treated as an ‘oopsey,'” wrote another. “Someone needs to be held accountable for these types of egregious errors.”
More related news about the susceptibility of electronic medical records to hacking and privacy breaches can be found at CyberWar.news.
Sources for this article include: