Healthcare giant CVS exposed over a billion health records via a misconfigured cloud database leak. The Woonsocket, Rhode Island-based health services provider owns CVS Pharmacy, CVS Caremark, and Aetna.
Website Planet’s security researcher Jeremiah Fowler discovered the database leak while conducting routine internet scanning for exposed cloud databases. Fowler said the database did not have any authentication mechanisms or an access password.
Exposed health records could help attackers to identify and target users
The 204 GB leaked database contained just over a billion records, including visitor and session IDs, device information (whether iPhone, iPad, or Android), and event and configuration data. The leaked database also contained multiple records for medications, including COVID-19 vaccines and CVS products for cvshealth.com and cvs.com.
They also exposed the backend logging service blueprints that could allow hackers to understand how the data is stored. Fowler noted that the health records were marked for “production” and the company recorded what visitors searched possibly for analytics and user experience.
Fowler noted that attackers could match customer IDs with email addresses submitted during the search functionality.
“Hypothetically, it could have been possible to match the Session ID with what they searched for or added to the shopping cart during that session and then try to identify the customer using the exposed emails,” Fowler said.
For some mysterious reason, website users submitted their email addresses instead of the search query on both websites. Fowler explained that users could have inadvertently submitted their emails believing they were logging in instead of conducting a search query.
The total number of exposed health records was difficult to determine, given that Fowler did not download the data to protect the privacy of the victims.
“The number of records would time-out or break my browsing tool when I tried to get a total number of emails … In a small sampling of records there were emails from all major email providers,” Fowler explained.
Fowler informed the healthcare giant of the database leak, which was secured on the same day on March 21, 2021.
CVS healthcare attributes the database leak to a third-party vendor
CVS spokesman acknowledged the database leak but attributed it to a third-party vendor, noting that only “non-identifiable CVS Health metadata” was exposed.
“We immediately investigated and determined that the database, which was hosted by a third-party vendor, did not contain any personal information of our customers, members, or patients. We worked with the vendor to quickly take the database down. We’ve addressed the issue with the vendor to prevent a recurrence, and we thank the researcher who notified us about this matter,” he said.
However, attackers could use the information to craft convincing phishing messages targeting website users whose emails and medical searches were exposed in the database leak. Fowler also noted that the data could also be used to cross-reference for other actions.
He blamed human error for the database leak and users inadvertently typing their email addresses in the search bar.
CVS is hardly the first health services provider to expose patient health records through database misconfiguration. In 2019, UW medicine exposed 1 million confidential health records through a misconfigured database leak.
Problem with database leak
Pravin Rasiah, VP of Product at CloudSphere says that healthcare systems entrusted with sensitive health records must be hypervigilant in protecting the data they collect.
“Patient records, visitor sessions, and logging information are all at risk. Leaving a database exposed without a password or authentication to prevent unauthorized entry is a surefire way to put this highly sensitive data in jeopardy.”
He added that the lack of proper awareness of user access could create a loophole for cybercriminals to exploit.
“To ensure data remain secure, a governance platform with the ability to provide real-time updates within the cloud landscape is vital. With holistic visibility into complex deployments, user access, and security guardrails in place to identify and remediate potential misconfigurations, healthcare organizations can properly secure and protect their patients’ information.”
PJ Norris, Senior Systems Engineer at Tripwire, said that cloud misconfigurations were far too common. He noted that exposed databases on internal networks could remain unnoticed, thus preventing unauthorized public access, unlike cloud systems directly connected to the Internet.
“Organizations should identify processes for securely configuring all systems, including cloud-based storage, like Elasticsearch and Amazon S3. Once a process is in place, the systems must be monitored for changes to their configurations. These are solvable problems, and tools exist today to help.”
Commenting on the CVS data leak, David Pickett, Senior Cybersecurity Analyst at Zix | AppRiver says that organizations must ensure that entities accessing sensitive customer information have proper security measures in place.
“Companies that house personal information for millions of customers need to reflect on their current password practices and ensure they are building the safest habits to protect their company and customers from cybercriminals. In this case, the database was not protected by a password and had no authentication requirements.”
He noted that implementing two-factor authentication (2FA) or multi-factor authentication (MFA) provides an extra layer of security by requiring users to confirm their identity, after entering their password through additional means such as unique codes sent to their phones or email addresses or through an authentication app.
“It’s getting easier for cybercriminals to breach even the most complex password, which is why implementing 2FA is critical. Another component to be mindful of when working with third-party vendors that have access to company data is reviewing and understanding what the vendor agreement encompasses for security practices. These solutions will help to prevent companies from becoming another statistic in a long list of companies who have had data exposed online.”
“Unfortunately, this isn’t the first time a misconfiguration has exposed massive amounts of data online without any password protection or authentication controls in place,” says Jasen Meece, CEO of Cloudentity. “To prevent misconfigurations, organizations must implement identity and access management (IAM) controls on their databases and all other resources within their network to ensure every point of entry is secured.”
He also recommended the Zero Trust approach based on user contexts (who, what, where, when, etc.) to continuously authorize users along the way before granting them access.