An unsecured database of more than a billion search records belonging to CVS Health was accidentally posted online and accessible to the public earlier this spring, ABC News confirms.
The non-password protected database was discovered at the end of March by independent cybersecurity researcher Jeremiah Fowler, who then alerted the company to the exposure.
Those records included a large number of searches on CVS Pharmacy websites for COVID-19 vaccines and other medications, according to Fowler.
A CVS spokesperson confirmed to ABC News the data was theirs and said when they became aware of the exposure, they immediately took down the database, which they say was hosted by a third-party vendor.
The company emphasized the records did not include any personal customer, patient, or member information.
According to Fowler, some of the information revealed in those searches could have helped link to someone's identity, depending on what else they entered in the search bar.
"Some search entries included email addresses and should be a wake-up call for companies to ensure their data security is solid," he said. "There were certain times where individuals put their own email addresses into the search bar and then that correlated with a visitor ID and user ID, and then usually it showed what they searched for. So, hypothetically, you could have connected those three and figured it out."
Fowler also said when it comes to medical data, cyber criminals are extremely smart at phishing and social engineering.
"Logically, once you had an email and could see medications, there's all kinds of things you could do with it," he said.
Meanwhile, a CVS spokesperson said they've addressed the issue with the vendor in question to prevent this from happening again, but would not comment on whether they would continue contracting with said vendor.
Read the company's full statement below:
"In March of this year, a security researcher notified us of a publicly accessible database that contained non-identifiable CVS Health metadata.We immediately investigated and determined that the database, which was hosted by a third party vendor, did not contain any personal information of our customers, members, or patients.As the researcher's report indicates, there was no risk to customers, members or patients, and we worked with the vendor to quickly take the database down.We've addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter."