Skip to main content
SpringerLink
Log in

Case Study on a Session Hijacking Attack: The 2021 CVS Health Data Breach

  • Conference paper
  • First Online:
Mobile Web and Intelligent Information Systems (MobiWIS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13475))

  • 692 Accesses

Abstract

The CVS medical data breach in March of 2021 was a source of anxiety, fear, and anger in many users, leading to lower customer loyalty. Our study found that their websites used misconfigured databases, allowing an adversary to steal healthcare data through session hijacking attacks. Customers’ search metadata containing email addresses, prescriptions, and other medical search queries, were stored in cloud-hosted log files. Although no concrete evidence of data misuse was uncovered, the research found that over a billion confidential search queries were potentially exposed to adversaries. This paper analyzes the data breach methodology and impact in detail and provides possible defense strategies against such attacks. It violates the security and protection regulations mandating proper confidentiality of users’ private medical and healthcare information. This paper also outlines possible defense measures against healthcare data session hijacking attacks, including having policies in place, such as an incident response plan, preserving evidence of the breach, and isolating the data breach.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. McKeon, J.: CVS health faces data breach, 1B search records exposed, June 2021. https://healthitsecurity.com/news/cvs-health-faces-data-breach1b-search-records-exposed

  2. McGee, M.K., Ross, R.: Researcher: 1 billion CVS health website records exposed, June 2021. https://www.govinfosecurity.com/researcher-1-billion-cvs-health-website-records-exposed-a-16890

  3. Alder, S.: 1 billion-record database of searches of CVS website exposed online, June 2021. https://www.hipaajournal.com/1-billion-record-database-of-searches-of-cvs-website-exposed-online/

  4. CVS: CVS health notice of privacy practices. https://www.cvs.com/content/patient-privacy

  5. Chatterjee, S., Gao, X., Sarkar, S., Uzmanoglu, C.: Reacting to the scope of a data breach: the differential role of fear and anger. J. Bus. Res. 101, 183–193 (2019)

    Article  Google Scholar 

  6. CyberTalk: CVS accidentally leaks more than 1 billion records. https://www.cybertalk.org/2021/06/16/cvs-accidentally-leaks-more-than-1-billion-records

  7. Fowler, J.: Report: CVS health exposed search records online. https://www.websiteplanet.com/blog/cvs-health-leak-report/

  8. Leggate, J.: What is CVS health? https://www.foxbusiness.com/markets/what-is-cvs-health

  9. CVS: About CVS health. https://www.foxbusiness.com/markets/what-is-cvs-health

  10. Caremark. https://www.caremark.com/

  11. Conner, B.: Mid-year update: 2021 SonicWall cyber threat report (2021)

    Google Scholar 

  12. 1 billion CVS health records breached, June 2021. https://rocketit.com/cvs-health-data-breach/

  13. Brewster, T.: CVS accidentally leaks 1 billion website records-including Covid-19 vaccine searches. https://www.forbes.com/sites/thomasbrewster/2021/06/16/cvs-accidentally-leaks-1-billion-website-records-including-covid-19-vaccine-searches/?sh=1986e4d92c4f

  14. Paganini, P.: Over a billion records belonging to CVS Health exposed online, June 2021

    Google Scholar 

  15. More than 1 billion CVS data records accidentally exposed, researcher says, June 2021. https://abc30.com/cvs-data-breach-medical-records-health-cyber-attack/10798172/

  16. Turea, M.: CVS health suffers database breach leaving 1b records exposed online, July 2021. https://healthcareweekly.com/cvs-health-database-breach

  17. Hussain Seh, A., et al.: Healthcare data breaches: insights and implications. Healthcare 8(2), 133 (2020)

    Article  Google Scholar 

  18. The potential damages and consequences of medical identity theft and healthcare data breaches, April 2010. https://www.experian.com/assets/data-breach/white-papers/consequences-medical-id-theft-healthcare.pdf

  19. Sinanaj, G., Zafar, H.: Who wins in a data breach?-A comparative study on the intangible costs of data breach incidents. In: PACIS, p. 60 (2016)

    Google Scholar 

  20. Tweneboah-Koduah, S., Atsu, F., Prasad, R.: Reaction of stock volatility to data breach: an event study. J. Cyber Secur. Mob. 9(3), 355–384 (2020)

    Google Scholar 

  21. Azubuike, S.: Cybersecurity attacks: regulatory and practical approach towards preventing data breach and cyber-attacks in USA (2021)

    Google Scholar 

  22. Stone, J.: How to manage a healthcare data breach. https://www.securitymetrics.com/blog/how-manage-healthcare-data-breach

  23. Landi, H.: CVS health database leak left 1B user records exposed online, June 2021. https://www.fiercehealthcare.com/tech/cvs-health-database-leak-leaves-1-billion-user-records-exposed-online

Download references

Author information

Authors and Affiliations

  1. Miami University, Oxford, OH, 45056, USA

    Aversa Prentosito, McKenna Skoczen, Lauren Kahrs & Suman Bhunia

Authors
  1. Aversa Prentosito
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. McKenna Skoczen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lauren Kahrs
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Suman Bhunia
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Aversa Prentosito .

Editor information

Editors and Affiliations

  1. University of Bradford, Bradford, UK

    Irfan Awan

  2. Oxford Brookes University, Oxford, UK

    Muhammad Younas

  3. Lodz University of Technology, Lodz, Poland

    Aneta Poniszewska-Marańda

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Prentosito, A., Skoczen, M., Kahrs, L., Bhunia, S. (2022). Case Study on a Session Hijacking Attack: The 2021 CVS Health Data Breach. In: Awan, I., Younas, M., Poniszewska-Marańda, A. (eds) Mobile Web and Intelligent Information Systems. MobiWIS 2022. Lecture Notes in Computer Science, vol 13475. Springer, Cham. https://doi.org/10.1007/978-3-031-14391-5_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-14391-5_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-14390-8

  • Online ISBN: 978-3-031-14391-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation