Blog Post

One Billion CVS Records Accidentally Posted Online

Richard P. Kusserow | July 2021

Earlier this year, an independent cybersecurity researcher discovered that a CVS Health database containing more than 1 billion data points was posted online and accessible to the public. The database included records of customers’ search history on the CVS website for items such as medications and COVID-19 vaccines. Metadata categories such as “add to cart” and “remove from cart” were also included. In addition, some search entries included email addresses. While customers likely put their email addresses into the website search bar in error, they may have been linked to unique customer identifiers.

CVS issued a statement indicating that the database was hosted by a third-party vendor and “did not contain any personal information of [its] customers, members, or patients.” The exposed email addresses were not addressed in the statement. The company further communicated that the database was quickly taken down.

Learn about our Privacy Advisory Services.

Get More Information

The researcher who discovered the database noted that data tracking website use can be a risk for organizations even when no obvious personal data is being collected. It is imperative that organizations ensure that all data is subject to ongoing monitoring and auditing to verify that adequate controls are in place and effective against exposure or attack.

For more information on this topic, please contact Richard Kusserow at [email protected].

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 2,000 health care organizations and entities in developing, implementing and assessing compliance programs.

Subscribe to blog