A potential hacker’s holiday–damage unknown, but now secured. Back in March, cybersecurity researcher Jonathan Fowler, working with the WebsitePlanet research team, discovered an unsecured database, hosted by an undisclosed third-party vendor, with information clearly linked in their view to CVS Health. Mr. Fowler and WebsitePlanet immediately notified CVS Health through a responsible disclosure notice. 

The files were production files with 1,148,327,940 records in a file of 204 GB. CVS worked quickly to secure the data that same day by shutting down public access. CVS confirmed to WebsitePlanet that it was indeed their data. No directly personally identifiable information (PII) was included of customers, members, or patients. Instead, the histories are largely log files from searching and shopping on the site. However, Mr. Fowler maintains that there was enough information in the files to derive customers’ PII, including their email addresses.

The story is breaking now on media, notably ABC-TV cited in Becker’s. While apparently not a true breach or malicious–just another one of those darn errors–it presented a real danger to CVS Health customers. Whether the publicity will force CVS Health to take remedial action is to be determined. Not ‘Hackermania Running Wild’ but could have been in this overheated world of ransomware and Healthcare Hacking. CVS needs to keep far tighter oversight on their vendors. They should post what’s left and above in the IT Department. Also Threatpoint and Becker’s Health IT