1 Billion-Record Database of Searches of CVS Website Exposed Online

2020 Healthcare Data Breach Report

Share this article on:

A database belonging to CVS Pharmacy that included approximately 1 billion search records has been exposed online. The database included information about searches performed by visitors to CVS.com and CVSHealth.com, typically for information about medications an COVID-19 vaccines.

It is common for databases such as these to be maintained by companies. The search information can be used for analytics, customer management, marketing, and other purposes to improve the services provided to customers. These searches can sometimes be tied to an individual by their IP address, or in this case by the searcher’s email address.

The colossal database was discovered by security researcher Jeremiah Fowler. Fowler found that the email addresses of some visitors to the websites was also included in the database. Due to the size of the database, it was not possible to perform searches of all data but searching a sample of data in the database confirmed many email addresses were present. It is not clear why email addresses were recorded. Fowler suggests it could have been people mistakenly attempting to login using the search field.

Fowler did not download the full database, so was unable to determine how many email addresses were present in the database. It is also unclear if Fowler was the first to discover the database and whether any other individuals may have viewed or even downloaded the database while it was accessible.

According to Fowler, the database had been exposed online due to a misconfiguration issue. Fowler contacted CVS to alert them to the exposed database and it was quickly secured. “We immediately investigated and determined that the database, which was hosted by a third-party vendor, did not contain any personal information of our customers, members or patients. We worked with the vendor to quickly take the database down,” explained CVS in a statement issued to Forbes. “We’ve addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On