CVS Health database leak left 1B user records exposed online

The front entrance of a CVS Pharmacy
Many healthcare breaches can be traced to misconfigured databases, servers and other IT, and some breaches involving misconfigurations have resulted in massive amounts of data being exposed online. (Eric Glenn/Shutterstock.com)

More than 1 billion search records belonging to CVS Health were accidentally posted online and accessible to the public earlier this year.

The database belonging to the healthcare and retail giant, which was not password protected, was discovered at the end of March by independent cybersecurity researcher Jeremiah Fowler, according to a report published by Website Planet, which conducts research into unsecured internet data.

The database, which was approximately 204 gigabytes in size and totaled 1.1 billion records, had no form of authentication in place to prevent unauthorized entry, the researchers said.

The data exposed online included customer email addresses, user IDs and customer searches on CVS Pharmacy websites for COVID-19 vaccines and other medications, according to the report.

The data, collected from both CVS Health and CVS.com, represent website visitor logs that show everything visitors searched for, which is valuable analytical data for companies to see how customers are interacting with their platforms.

RELATED: Average cost of healthcare data breach rises to $7.1M, according to IBM report

"I saw multiple records that indicated visitors searching for a range of items including medications, COVID-19 vaccines, and other CVS products. Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails," Fowler wrote.

The unsecured database poses a risk that the email addresses exposed could be targeted in a phishing attack for social engineering, according to the researchers.

Fowler said the team of researchers immediately sent a responsible disclosure notice to CVS Health, and public access was restricted the same day.

In a statement, a CVS spokesperson confirmed that in March a security researcher notified the company of a publicly accessible database that contained non-identifiable CVS Health metadata.

"We immediately investigated and determined that the database, which was hosted by a third party vendor, did not contain any personally identifiable information of our customers, members, or patients," the spokesperson said.

RELATED: Misconfigured database leads to major data breach at UW Medicine

CVS Health said it worked with the vendor to quickly take the database down. 

"As the researcher’s report indicates, there was no risk to customers, members or patients. We’ve addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter," the spokesperson said.

According to Fowler's report, CVS representatives said the customer emails were not from CVS customer account records and were entered into the search bar by visitors themselves.

"Unfortunately, only human error can be blamed for both the misconfiguration that publicly exposed the database and website visitors who entered their own email addresses in the search bar," Fowler wrote in the security report.

Many healthcare breaches can be traced to misconfigured databases, servers and other IT, and some breaches involving misconfigurations have resulted in massive amounts of data being exposed online.

In 2019, Seattle-based UW Medicine had to notify close to 1 million patients of a database configuration error that exposed their protected health information on the internet for several weeks.