A CVS database containing more than 1 billion data records was posted online earlier this year. CVS is a chain of U.S. based pharmacies. Many healthcare breaches can be traced to misconfigured databases, servers and other IT and it appears the recent incident is a similar case.
The leaked records include a large number of searches on CVS.com and CVSHealth.com for medications and COVID-19 vaccines, among other items.
A CVS spokesperson says the company swiftly took down the database, according to Forbes.
Looking into the matter for Digital Journal is David Pickett, threat hunter and senior cybersecurity analyst at Zix I AppRiver.
Pickett explains the importance of the health-related data breach and the significance of the exposed data: “The exposure of over a billion records belonging to CVS Health highlights the importance of protecting sensitive customer information as well as ensuring your organization and any third-party vendors who have been brought on to help with security and cloud migration have proper security measures in place.”
Pickett goes on to outline the duty of care that firms tasked with holding personal data of others need to develop and ensure that this is enforced through good governance in relation to this he says: “Companies that house personal information for millions of customers need to reflect on their current password practices and ensure they are building the safest habits to protect their company and customers from cybercriminals. In this case, the database was not protected by a password and had no authentication requirements.”
In terms of appropriate security measures for such data, Pickett recommends: “Implementing two-factor authentication (2FA) or a multi-factor authentication (MFA) protection approach provides an extra layer of security by making users confirm their identity, most often via a unique code sent to the user’s phone, email address or through an authenticator app, after entering their username and password.”
Without these types of security protocols, the task becomes easier for rogue actors: “It’s getting easier for cybercriminals to breach even the most complex password, which is why implementing 2FA is critical.”
He also puts forward: “Another component to be mindful of when working with third-party vendors that have access to company data is reviewing and understanding what the vendor agreement encompasses for security practices.”
Pickett concludes: “These solutions will help to prevent companies from becoming another statistic in a long list of companies who have had data exposed online.”