Thanks to a Misconfigured Google Cloud Bucket, Pfizer Patient Data is Leaked
Table of Contents
- By Dawna M. Roberts
- Oct 21, 2020
Alarmingly, DataBreaches.net reported today that for the past couple of years, the giant pharmaceutical company Pfizer leaked sensitive patient data using a vulnerable Google cloud storage bucket.
The Pfizer Leak
The leak was discovered by vpnMentor’s Noam Rotem and Ran Locar, and they reported the incident to DataBreaches. Apparently, they found a misconfigured Google bucket that contained hundreds of records dating back to 2018 regarding products like Aromasin, Chantix, Depo-Medrol, Ibrance, Lyrica, Premarin, Advil, and Viagra and patients who use them.
The records found were actual transcripts of recorded phone calls between Pfizer’s U.S. Drug Safety Unit (US DSU) and patients who called in with questions or information about the medications. The leaked data includes patients’ names, home addresses, phone numbers, email addresses, the type of drugs they were using, their issues with it, or notice of adverse reactions. Physicians even made some calls for patients. Many of the victims of the data breach were undergoing treatment for various cancers.
Researchers commented that “Initially, we suspected the misconfigured bucket to be related to just one of the medication brands exposed. However, upon further investigation, we found files and entries connected to various brands owned by Pfizer. Eventually, our team concluded the bucket most likely belonged to the company’s U.S. Drug Safety Unit (DSU).”
Databreaches.net actually examined the leaked data and found that some of the calls were related to side effects or people having difficulty getting cancer treatment medication. One even called to report a death in relationship to the medication listed. Another called to get help opening a package. Cybersecurity experts noted that there was a wide range of calls in the file.
The leaked data includes personally identifiable information (PII), leaving patients ripe for identity theft.
What Was Done About It?
The company who discovered the leak, vpnMentor, found the data on July 9th. They attempted to contact Pfizer on July 13th via email. They received nothing in response, so they tried again on July 19th, July 22nd, and then again on September 22nd.
Pfizer finally responded to the September 22nd email with “From the URL you gave, I failed to see how it is important Pfizer data (or even an important data at all).” As of September 23rd, Pfizer fixed the issue and made the bucket private.
ThreatPost reached out to Pfizer for comment, and they replied with, “Pfizer is aware that a small number of non-HIPAA data records on a vendor-operated system used for feedback on existing medicines were inadvertently publicly available. We take privacy and product feedback extremely seriously. To that end, when we became aware of this event, we ensured the vendor corrected the issue, and notifications compliant with applicable laws will be sent to individuals.”
Although the information leaked was not covered under HIPAA laws, it still exposes the patients’ data and leaves them at risk of identity theft and fraud.
Ongoing Attacks on Healthcare
Although Pfizer didn’t seem too concerned about the data leak, dozens of pharmaceutical and medical healthcare organizations have been hit hard by cybercrime and ransomware attacks.
Based on the information stolen, it would be easy for a hacker group to wage serious phishing campaigns against the people noted in the files. They had their names, email addresses, and the medications they were currently taking. That level of detail could convince many people (especially seniors) to trust the information contained in a malicious email. vpnMentor confirms this idea with “Hackers could easily trick victims by appearing as Pfizer’s customer-support department and referencing the conversations taking place in the transcripts. For example, many people were enquiring about prescription refills and other queries. Such circumstances give cybercriminals a great opportunity to pose as Pfizer and request card details in order to proceed with the refills.”
Armed with the person’s home address, name, and medical information, criminals could use techniques to gain access to additional information effectively “destroy a person’s financial wellbeing and create tremendous difficulty in their personal lives.” If malware was the goal, these bad actors could exploit the information found on the transcripts to lure unsuspecting victims in and infect their computers to do even more damage.
What Can Patients Do to Stay Safe?
Most Americans, at one time or another, are patients, and many are on prescription medication. To keep your identity safe at all times:
* Never give out personal details to anyone over the phone (especially if you think the call is being recorded).
* Do not share medical information with anyone.
* Never click a link in an email and watch out for suspicious phishing emails that offer deals that are too good to be true.
* Always keep your computer updated with the latest patches and antivirus software.
Your best defense is to use common sense and be on the lookout for email, text, and phone scams. If you do fall victim, report the incident to the police and the FTC immediately.