Pharmaceutical giant Pfizer suffered a data breach, responsible for the exposure of customer data, HIPAA-related information, and medical prescriptions out on the web.
A cybersecurity firm called vpnMentor said the pharmaceutical company exposed the private details of customers due to an unsecured Google Cloud storage bucket. Security researchers Noam Rotem and Ran Locar discovered the misconfigured cloud server on July 9, 2020.
After months of investigations, the researchers were able to pinpoint the unsecured cloud server to Pfizer’s U.S. Drug Safety Unit. According to vpnMentor, it took two months before they got a reply from Pfizer regarding the incident.
“From the URL you gave, I failed to see how it is important Pfizer data or even an important data at all,” said Pfizer.
The cybersecurity company sent samples of customer data to prove the point to the pharmaceutical giant, but the company didn’t reply to any other correspondence. While it’s still uncleared who accessed the data, Google has taken action to secure the cloud.
Information about customers using drugSs such as Lyrica, Chantix, Viagra, Premarin, and cancer treatments Aromasin, Depo-Medrol, and Ibrance. Phone call transcripts and personally-identifiable information are also included in the unsecured cloud server.
Pfizer finally broke its silence and said to Verdict that, “Pfizer is aware that a small number of data records on a US vendor operated system used for feedback on existing medicines were inadvertently publicly available.”
The pharmaceutical firm said they acknowledge the security breach and said affected individuals are US-based only.
“We take privacy and product feedback extremely seriously. To that end, when we became aware of this event, we ensured the vendor corrected the issue and notifications complaint with applicable laws have been sent to individuals,” said a company spokesperson.
Transcripts
Security researchers from vpnMentor said the most alarming information leaked from the unsecured cloud are transcripts related to Pfizer’s customer support system. They are able to capture some of the interactive voice response inquiring about refills and side effects.
It appeared that agents were registered nurses representing the pharmaceutical giant and some of the information dates back to October 2018. That’s how far the breach got into before the researchers discovered the bucket in July. It was not until Sept. 23, when the bucket was made private.
“By exposing these transcripts to the public, Pfizer committed a basic lapse in data security and a breach of confidentiality, with significant implications for the wellbeing of the people exposed,” said vpnMentor in its report.
