More than 1B CVS Health records exposed in online database

Security researchers earlier this spring discovered a database containing more than a billion records, including emails that could be targeted in a phishing attack for social engineering.

The database, which was not password-protected, was flagged by the WebsitePlanet research team in cooperation with Jeremiah Fowler.

Public access to the data was restricted the same day that CVS Health was notified.

“In March of this year, a security researcher notified us of a publicly accessible database that contained non-identifiable CVS Health metadata,” said CVS Health in a statement sent to Healthcare IT News.

“We immediately investigated and determined that the database, which was hosted by a third-party vendor, did not contain any personally identifiable information of our customers, members or patients,” according to the statement.

“We’ve addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter.”


According to CVS Health, the metadata did not contain any personally identifiable information, and there was no risk to patients, customers or members.

Read more