Earlier this year, an independent cybersecurity researcher discovered that a CVS Health database containing more than 1 billion data points was posted online and accessible to the public. The database included records of customers’ search history on the CVS website for items such as medications and COVID-19 vaccines. Metadata categories such as “add to cart” and “remove from cart” were also included. In addition, some search entries included email addresses. While customers likely put their email addresses into the website search bar in error, they may have been linked to unique customer identifiers.
CVS issued a statement indicating that the database was hosted by a third-party vendor and “did not contain any personal information of [its] customers, members, or patients.” The exposed email addresses were not addressed in the statement. The company further communicated that the database was quickly taken down.
Learn about our Privacy Advisory Services.Get More Information
The researcher who discovered the database noted that data tracking website use can be a risk for organizations even when no obvious personal data is being collected. It is imperative that organizations ensure that all data is subject to ongoing monitoring and auditing to verify that adequate controls are in place and effective against exposure or attack.
For more information on this topic, please contact Richard Kusserow at firstname.lastname@example.org.Subscribe to blog