CVS Health and Volkswagen have been contacting millions of their customers to tell them that their personal information has been exposed. In two separate incidences, both companies were recently alerted that vendor errors compromised their data.
A misconfiguration in a CVS Health cloud database left 1.1 billion records exposed, according to an investigation by WebsitePlanet in cooperation with security researcher Jeremiah Fowler. The database had no form of authentication in place to prevent unauthorized entry, the researchers said. In his report, Fowler wrote that he saw multiple records that indicated visitors searching online for a range of items including medications, COVID-19 vaccines, and other CVS products, had their data exposed, including their email addresses and user IDs.
The unsecured database now poses a risk that the email addresses exposed could be targeted in a phishing attack for social engineering, according to the researchers. Fowler said the team of researchers immediately sent a responsible disclosure notice to CVS Health and public access was restricted the same day.
In a statement, a CVS spokesperson confirmed that in March a security researcher notified the company of a publicly accessible database that contained non-identifiable CVS Health metadata. “We immediately investigated and determined that the database, which was hosted by a third party vendor, did not contain any personally identifiable information of our customers, members, or patients,” the spokesperson said, noting also that they worked with the vendor to quickly take the database down.
In the meantime, Volkswagen and its Audi subsidiary have been notifying more than three million people in the U.S. and another 163,000 people in Canada of a breach of personal information by a marketing services supplier. Without identifying the supplier, Volkswagen says it exposed the data it had collected between 2014 and 2019. According to the report, that company left the data unsecured for 21 months, ending last month.
For most affected individuals, exposed data includes their name, mailing address, email address and phone numbers.
In his report regarding the CVS breach, Fowler made a statement that might also be applied to Volkswagen, when he wrote, “Unfortunately, only human error can be blamed.”
Here are a few lessons we can pick up from these breaches.
- Encrypt and password protect any and all cloud storage.
- Review and verify that your Business Associate Agreements are up to standard.
- Invest in Phishing/Cyber Security training.
- Contact PrivaPlan today to put lessons into practice: email@example.com or 877-218-7707.
PrivaPlan’s IT Security expert Ron Bebus reminds us that vendors are not “hire and forget.” He says, “While a BAA might protect you legally from some aspects of vendor mistakes, it is your responsibility to your patients to protect their data and to protect your reputation. Review all your vendor security practices just like you review your own.”