- In March, a
cybersecurity researcher discovered aCVS database including 1 billion data points. - It contained searches for COVID-19 vaccines and medications, the researcher said on Website Planet.
- Researcher Jeremiah Fowler told Forbes CVS took the data set down within one day of him notifying the firm.
A dataset containing 1 billion data points from CVS customers, including searches for medications and COVID-19 vaccines made on CVS.com, was inadvertently posted online.
Cybersecurity researcher Jeremiah Fowler discovered a non-password protected database belonging to CVS Health on March 31. Fowler posted his findings on Website Planet.
The data consisted of searches for medications, COVID-19 vaccines, and other CVS products, Fowler reported. Some searches contained email addresses and "Visitor IDs" that could have matched searches with personal identifying information.
Read more: How DNA-testing startup Helix became one of the nation's leading coronavirus tracking labs
Fowler told Forbes he did not download the full dataset for ethical reasons, as he did not want to collect personal data. The researcher added CVS took down public access to the database within one day of Fowler notifying them.
"The bad part about this finding was just how big it was," Fowler told Forbes in an interview. "In a small sampling of records there were emails from all major email providers."
CVS told Insider the firm determined the database, which was hosted by a third-party vendor, did not contain personal information of customers, members or patients. The firm worked with the vendor to quickly take down the database.
"We've addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter," a CVS spokesperson said in a statement.