Pharma company Pfizer has leaked the private medical data of prescription-drug users in the US for months, possibly years, because of an unprotected Google Cloud storage bucket.
100s of medical patients taking cancer drugs, Premarin, Lyrica & more are now vulnerable to phishing, malware & identity fraud.
The exposed data includes phone-call transcripts & personally identifiable information (PII), according to vpnMentor’s cyber-security research team.
The victims include people using pharmaceuticals like Lyrica, smoking-cessation aid Chantix, Viagra, menopause drug Premarin, & cancer treatments such as Aromasin, Depo-Medrol & Ibrance. Some of the transcripts were related to conversations about Advil, which is manufactured by Pfizer in a joint venture with GlaxoSmithKline.
“Initially, we suspected the misconfigured bucket to be related to just one of the medication brands exposed,” researchers explained.
“However, upon further investigation, we found files & entries connected to various brands owned by Pfizer. Eventually, our team concluded the bucket most likely belonged to the company’s US Drug Safety Unit (DSU).”
The PII includes full names, home addresses, email addresses, phone numbers, & partial details for health & medical status, vpnMentor noted. Perhaps more concerning are the transcripts, which are related to Pfizer’s automated customer-support system.
The company captured conversations with customers calling into the company’s interactive voice response (IVR) customer support asking about refills, side-effects & the like.
“The folder containing the transcripts was named ‘escalations,’ suggesting they were part of an automated internal process managing customer queries & complaints,” according to a vpnMentor blog post on Tues.
“We also reviewed transcripts in which the conversation was ‘escalated’ to human customer support agents. It appeared these agents were registered nurses representing Pfizer in matters relating to its pharmaceutical brands.”
100s of people were exposed, with some of the information dating back to Oct. 2018. Researchers discovered the bucket open to the internet (with no passwords or usernames required) in July. After several attempts to contact the company, the bucket was finally made private on Sept. 23.
“It took 2 months, but eventually, we received a reply from the company,” according to vpnMentor. “When they finally replied, all we received was the following statement: ‘From the URL you gave, I failed to see how it is important Pfizer data (or even an important data at all).’ This was a surprising response from one of the biggest companies in the world.”
After sharing a file with a sample of customers’ PII data with the company, the bucket was secured but vpnMentor received no further communication from Pfizer, it commented.
A company spokesperson commented, “Pfizer is aware that a small number of non-HIPAA data records on a vendor-operated system used for feedback on existing medicines were inadvertently publicly available.
We take privacy & product feedback extremely seriously. To that end, when we became aware of this event we ensured the vendor corrected the issue & notifications compliant with applicable laws will be sent to individuals.”
There are a variety of attacks that cyber-criminals could carry out if they had gained access to the information. It is not clear how long in total the bucket was exposed, & there is no way of knowing if bad types dipped in.
Hackers could mount highly convincing phishing campaigns using a combination of the PII & the details of the medical prescriptions the targets are taking.
“Hackers could easily trick victims by appearing as Pfizer’s customer-support department & referencing the conversations taking place in the transcripts,” explained vpnMentor researchers.
They added, “For example, many people were enquiring about prescription refills & other queries. Such circumstances give cyber-criminals a great opportunity to pose as Pfizer & request card details in order to proceed with the refills.”
Attackers could also use the data to phish additional information about a patient, such as their home address, & could from there completely steal the person’s identity. They could hijack prescription refills, or, in the worst case, “destroy a person’s financial wellbeing & create tremendous difficulty in their personal lives.”
Then there is the malware aspect. A malicious link in a convincing email could lead to malware execution on the user’s device, which in turn could compromise an entire network to which the device is connected.
Researchers at vpmMentor also pointed out the potential physical-safety ramifications of the exposure.
“There’s a high probability the people exposed in these transcripts are experiencing ill health, physically & emotionally,” according to the report. “One of the medicines referenced, Lyrica, used to treat anxiety disorders, while others, such as Ibrance & Aromasin, are used in the treatment of cancer.
At the time of the data breach, coronavirus was still surging across the US. If cyber-criminals had successfully robbed from or defrauded someone taking medication for anxiety in any way, the potential impact on their mental health is immeasurable & impossible to understate.”
Rampant Cloud Misconfigurations
A too-large percentage of cloud databases containing highly sensitive information are publicly available, an analysis in Sept. found. The study from Comparitch showed that 6% of all Google Cloud buckets are misconfigured & left open to the public internet, for anyone to access their contents.
2020 has had its share of high-profile problems. Last week, Broadvoice, a well-known VoIP provider that serves small & medium-sized businesses, was found to have leaked more than 350m customer records related to the company’s “b-hive” cloud-based communications suite.
Among other incidents this Autumn, an estimated 100,000 customers of Razer, a provider of high-end gaming gear ranging from laptops to apparel, had their private info exposed via a misconfigured Elasticsearch server.
A misconfigured, Mailfire-owned Elasticsearch server impacting 70 dating & e-commerce sites was found leaking PII & details such as romantic preferences. Also, the Welsh arm of the National Health Service announced that PII for Welsh residents who had tested positive for COVID-19 was exposed via a public cloud upload.