CVS Health Data Leak Exposes 1 Billion User Records

Over one billion CVS Health search and user records have accidentally been leaked online in late March of this year. The incident reportedly occurred after an unnamed third-party provider posted a database online.

According to ZD Net, security researcher Jeremiah Fowler alongside WebsitePlanet revealed Thursday, June 17, 2021, that they have discovered a CVS Health database online that was 204 gigabytes in size.

In total, ZD Net states that the team discovered over one billion data points were compromised. These records were supposedly connected to CVS, including this pharmaceutical arm CVS Pharmacy and Aetna.

CVS Health Data Leak Exposes User Records

Based on the findings of the news site and the researcher, the database in question did not come with password protection as well as authentication protection. Among those compromised in the data security leak include production records of visitor IDs, session IDs, as well as event and configuration data.

Moreover, the database also contained device access information, such as the visitor’s type of mobile device and whether or not they were using an iPhone or Android model. In addition to this, the records also showed users’ searches for certain types of medication, COVID-19 vaccines, and other CVS products, reveals ZD Net.

The records all show searches not only on CVS.com, but also on CVSHealth.com to address their needs for medications and other CVS-related products, notes Forbes.

On top of these, Forbes also said that users keyed in their email address in the search bar, which may potentially link users to an identifier. Fowler, however, said that this could simply be a mistake on the user’s end, given that they may be thinking they were logging in to their account.

The report by Fowler and the WebsitePlanet team also read, “Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and they try to identify the customer using the exposed emails.”

Fowler and WebsitePlanet have since reached out to CVS Health to notify them about the incident. ZD Net states that the team was quick to receive a response, with CVS Health admitting the database in question belonged to them.

Following the attack, the WebsitePlanet team revealed that CVS Health already reached out to the unnamed third-party vendor in order to take out the database from the Internet. The company also maintained that the database did not contain the personal information of customers, members, or patients.