CVS Website with 1 Billion-Record Database of Searches Exposed on the Internet

A database that belongs to CVS Pharmacy having roughly 1 billion search records was compromised on the internet. The database contained data regarding searches done by guests to and, usually for data concerning medicines and COVID-19 vaccines.

It is usual for databases like these to be managed by businesses. The search data could be utilized for analytics, client management, advertising, and other uses to enhance the services offered to consumers. These searches could at times be associated with a person through their IP address, or in this instance by the email address of the searcher.

Security researcher Jeremiah Fowler discovered the huge database. He also learned that the email addresses of a number of site visitors were contained in the database as well. Because of the magnitude of the database, it wasn’t possible to do queries of all information however searching a small sample of information in the database affirmed the presence of numerous email addresses. It isn’t very clear why email addresses were captured. Fowler thinks it may have been individuals erroneously trying to log in by using the search field.

Fowler didn’t download the complete database, thus he could not find out how many email addresses actually existed in the database. It’s likewise uncertain if Fowler was the first person to find the database or if any other person might have accessed or downloaded the database although it was available.

Fowler stated that the database was compromised on the internet because of a misconfiguration problem. Fowler got in touch with CVS to notify them about the unsecured database and it was immediately secured. CVS quickly looked into the incident and confirmed that the database, which a third-party vendor-hosted, didn’t have any personal data of its clients, patients, or members. CVS asked the vendor to take down the database immediately. The issue is being addressed to stop a repeat. It is good the researcher informed CVS concerning this matter.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at