business news in context, analysis with attitude

ZDNet reports that "WebsitePlanet, together with researcher Jeremiah Fowler, revealed the discovery of an online database belonging to CVS Health. The database was not password-protected and had no form of authentication in place to prevent unauthorized entry.

"Upon examination of the database, the team found over one billion records that were connected to the US healthcare and pharmaceutical giant, which owns brands including CVS Pharmacy and Aetna. 

"The database, 204GB in size, contained event and configuration data including production records of visitor IDs, session IDs, device access information -- such as whether visitors to the firm's domains used an iPhone or Android handset -- as well as what the team calls a 'blueprint' of how the logging system operated from the backend."

According to the story, CVS Health confirmed the breach, said it took place several months ago, and "said the database was managed by an unnamed vendor on behalf of the firm and public access was restricted following disclosure."

"In March of this year, a security researcher notified us of a publicly-accessible database that contained non-identifiable CVS Health metadata," CVS Health told ZDNet. "We immediately investigated and determined that the database, which was hosted by a third party vendor, did not contain any personal information of our customers, members, or patients. We worked with the vendor to quickly take the database down. We've addressed the issue with the vendor to prevent a recurrence and we thank the researcher who notified us about this matter."

KC's View:

I guess the first question that comes to my mind is … March???????

This does not strike me as being the height of transparency, however the company wants to characterize the breach.  If CVS really wants to be a health care player to the degree that it seems to, it may have to do better.