Security researchers have revealed the discovery of an online database belonging to CVS Health which exposed over a billion records online. The database was not password-protection and had no form of authentication in place to prevent unauthorized entry.
Upon examination of the database, the team found over one billion records that were connected to US healthcare and pharmaceutical giant, which owns brands including CVS Pharmacy and Aetna.
The database, 204GB in size, contained event and configuration data including production records of visitor IDs, session IDs, device access information — such as whether visitors to the firm’s domains used an iPhone or Android handset — as well as what the team calls a “blueprint” of how the logging system operated from the backend.
In addition, the records contained search data from CVS.com and CVSHealth.com for both COVID-19 vaccines and medications, according to Forbes.
Commenting on this latest incident for Digital Journal is Pravin Rasiah, VP of Product, CloudSphere.
Rasiah begin his analysis by singling out why healthcare has become a recurrent target: “Healthcare systems, entrusted with large amounts of information, must be hypervigilant in protecting all of the data they collect.”
Due to the value of data, relating to people, medical conditions, and their interactions with medical treatments, rogue actors have healthcare in mind. In addition, some rogue states may wish to simply disrupt another nation’s healthcare system.
Consequently, Rasiah finds: “Patient records, visitor sessions and logging information are all at risk. Leaving a database exposed without a password or authentication to prevent unauthorized entry is a surefire way to put this highly sensitive data in jeopardy.”
Many vulnerabilities are due to the configuration or mismanagement of cloud computing. According to Rasiah: “The complexity of cloud platforms means that without proper awareness of user access, any gap in security could leave the door open for cybercriminals to infiltrate.”
As to what can be done, Rasiah recommends: “To ensure data remain secure, a governance platform with the ability to provide real-time updates within the cloud landscape is vital. With holistic visibility into complex deployments, user access, and security guardrails in place to identify and remediate potential misconfigurations, healthcare organizations can properly secure and protect their patients’ information.”
