HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

1 Billion-Record Database of Searches of CVS Website Exposed Online

A database belonging to CVS Pharmacy that included approximately 1 billion search records has been exposed online. The database included information about searches performed by visitors to CVS.com and CVSHealth.com, typically for information about medications an COVID-19 vaccines.

It is common for databases such as these to be maintained by companies. The search information can be used for analytics, customer management, marketing, and other purposes to improve the services provided to customers. These searches can sometimes be tied to an individual by their IP address, or in this case by the searcher’s email address.

The colossal database was discovered by security researcher Jeremiah Fowler. Fowler found that the email addresses of some visitors to the websites was also included in the database. Due to the size of the database, it was not possible to perform searches of all data but searching a sample of data in the database confirmed many email addresses were present. It is not clear why email addresses were recorded. Fowler suggests it could have been people mistakenly attempting to login using the search field.

Fowler did not download the full database, so was unable to determine how many email addresses were present in the database. It is also unclear if Fowler was the first to discover the database and whether any other individuals may have viewed or even downloaded the database while it was accessible.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

According to Fowler, the database had been exposed online due to a misconfiguration issue. Fowler contacted CVS to alert them to the exposed database and it was quickly secured. “We immediately investigated and determined that the database, which was hosted by a third-party vendor, did not contain any personal information of our customers, members or patients. We worked with the vendor to quickly take the database down,” explained CVS in a statement issued to Forbes. “We’ve addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.