Abstract
The CVS medical data breach in March of 2021 was a source of anxiety, fear, and anger in many users, leading to lower customer loyalty. Our study found that their websites used misconfigured databases, allowing an adversary to steal healthcare data through session hijacking attacks. Customers’ search metadata containing email addresses, prescriptions, and other medical search queries, were stored in cloud-hosted log files. Although no concrete evidence of data misuse was uncovered, the research found that over a billion confidential search queries were potentially exposed to adversaries. This paper analyzes the data breach methodology and impact in detail and provides possible defense strategies against such attacks. It violates the security and protection regulations mandating proper confidentiality of users’ private medical and healthcare information. This paper also outlines possible defense measures against healthcare data session hijacking attacks, including having policies in place, such as an incident response plan, preserving evidence of the breach, and isolating the data breach.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
McKeon, J.: CVS health faces data breach, 1B search records exposed, June 2021. https://healthitsecurity.com/news/cvs-health-faces-data-breach1b-search-records-exposed
McGee, M.K., Ross, R.: Researcher: 1 billion CVS health website records exposed, June 2021. https://www.govinfosecurity.com/researcher-1-billion-cvs-health-website-records-exposed-a-16890
Alder, S.: 1 billion-record database of searches of CVS website exposed online, June 2021. https://www.hipaajournal.com/1-billion-record-database-of-searches-of-cvs-website-exposed-online/
CVS: CVS health notice of privacy practices. https://www.cvs.com/content/patient-privacy
Chatterjee, S., Gao, X., Sarkar, S., Uzmanoglu, C.: Reacting to the scope of a data breach: the differential role of fear and anger. J. Bus. Res. 101, 183–193 (2019)
CyberTalk: CVS accidentally leaks more than 1 billion records. https://www.cybertalk.org/2021/06/16/cvs-accidentally-leaks-more-than-1-billion-records
Fowler, J.: Report: CVS health exposed search records online. https://www.websiteplanet.com/blog/cvs-health-leak-report/
Leggate, J.: What is CVS health? https://www.foxbusiness.com/markets/what-is-cvs-health
CVS: About CVS health. https://www.foxbusiness.com/markets/what-is-cvs-health
Caremark. https://www.caremark.com/
Conner, B.: Mid-year update: 2021 SonicWall cyber threat report (2021)
1 billion CVS health records breached, June 2021. https://rocketit.com/cvs-health-data-breach/
Brewster, T.: CVS accidentally leaks 1 billion website records-including Covid-19 vaccine searches. https://www.forbes.com/sites/thomasbrewster/2021/06/16/cvs-accidentally-leaks-1-billion-website-records-including-covid-19-vaccine-searches/?sh=1986e4d92c4f
Paganini, P.: Over a billion records belonging to CVS Health exposed online, June 2021
More than 1 billion CVS data records accidentally exposed, researcher says, June 2021. https://abc30.com/cvs-data-breach-medical-records-health-cyber-attack/10798172/
Turea, M.: CVS health suffers database breach leaving 1b records exposed online, July 2021. https://healthcareweekly.com/cvs-health-database-breach
Hussain Seh, A., et al.: Healthcare data breaches: insights and implications. Healthcare 8(2), 133 (2020)
The potential damages and consequences of medical identity theft and healthcare data breaches, April 2010. https://www.experian.com/assets/data-breach/white-papers/consequences-medical-id-theft-healthcare.pdf
Sinanaj, G., Zafar, H.: Who wins in a data breach?-A comparative study on the intangible costs of data breach incidents. In: PACIS, p. 60 (2016)
Tweneboah-Koduah, S., Atsu, F., Prasad, R.: Reaction of stock volatility to data breach: an event study. J. Cyber Secur. Mob. 9(3), 355–384 (2020)
Azubuike, S.: Cybersecurity attacks: regulatory and practical approach towards preventing data breach and cyber-attacks in USA (2021)
Stone, J.: How to manage a healthcare data breach. https://www.securitymetrics.com/blog/how-manage-healthcare-data-breach
Landi, H.: CVS health database leak left 1B user records exposed online, June 2021. https://www.fiercehealthcare.com/tech/cvs-health-database-leak-leaves-1-billion-user-records-exposed-online
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Prentosito, A., Skoczen, M., Kahrs, L., Bhunia, S. (2022). Case Study on a Session Hijacking Attack: The 2021 CVS Health Data Breach. In: Awan, I., Younas, M., Poniszewska-Marańda, A. (eds) Mobile Web and Intelligent Information Systems. MobiWIS 2022. Lecture Notes in Computer Science, vol 13475. Springer, Cham. https://doi.org/10.1007/978-3-031-14391-5_7
Download citation
DOI: https://doi.org/10.1007/978-3-031-14391-5_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-14390-8
Online ISBN: 978-3-031-14391-5
eBook Packages: Computer ScienceComputer Science (R0)