Thanks to a Misconfigured Google Cloud Bucket, Pfizer Patient Data is Leaked

  • By Dawna M. Roberts
  • Oct 21, 2020

Alarmingly, DataBreaches.net reported today that for the past couple of years, the giant pharmaceutical company Pfizer leaked sensitive patient data using a vulnerable Google cloud storage bucket. 

The Pfizer Leak

The leak was discovered by vpnMentor’s Noam Rotem and Ran Locar, and they reported the incident to DataBreaches. Apparently, they found a misconfigured Google bucket that contained hundreds of records dating back to 2018 regarding products like Aromasin, Chantix, Depo-Medrol, Ibrance, Lyrica, Premarin, Advil, and Viagra and patients who use them.

The records found were actual transcripts of recorded phone calls between Pfizer’s U.S. Drug Safety Unit (US DSU) and patients who called in with questions or information about the medications. The leaked data includes patients’ names, home addresses, phone numbers, email addresses, the type of drugs they were using, their issues with it, or notice of adverse reactions. Physicians even made some calls for patients. Many of the victims of the data breach were undergoing treatment for various cancers. 

Researchers commented that “Initially, we suspected the misconfigured bucket to be related to just one of the medication brands exposed. However, upon further investigation, we found files and entries connected to various brands owned by Pfizer. Eventually, our team concluded the bucket most likely belonged to the company’s U.S. Drug Safety Unit (DSU).”

Databreaches.net actually examined the leaked data and found that some of the calls were related to side effects or people having difficulty getting cancer treatment medication. One even called to report a death in relationship to the medication listed. Another called to get help opening a package. Cybersecurity experts noted that there was a wide range of calls in the file.

The leaked data includes personally identifiable information (PII), leaving patients ripe for identity theft. 

What Was Done About It?

The company who discovered the leak, vpnMentor, found the data on July 9th. They attempted to contact Pfizer on July 13th via email. They received nothing in response, so they tried again on July 19th, July 22nd, and then again on September 22nd.

Pfizer finally responded to the September 22nd email with “From the URL you gave, I failed to see how it is important Pfizer data (or even an important data at all).” As of September 23rd, Pfizer fixed the issue and made the bucket private. 

ThreatPost reached out to Pfizer for comment, and they replied with, “Pfizer is aware that a small number of non-HIPAA data records on a vendor-operated system used for feedback on existing medicines were inadvertently publicly available.  We take privacy and product feedback extremely seriously.  To that end, when we became aware of this event, we ensured the vendor corrected the issue, and notifications compliant with applicable laws will be sent to individuals.”

Although the information leaked was not covered under HIPAA laws, it still exposes the patients’ data and leaves them at risk of identity theft and fraud. 

Ongoing Attacks on Healthcare

Although Pfizer didn’t seem too concerned about the data leak, dozens of pharmaceutical and medical healthcare organizations have been hit hard by cybercrime and ransomware attacks. 

Based on the information stolen, it would be easy for a hacker group to wage serious phishing campaigns against the people noted in the files. They had their names, email addresses, and the medications they were currently taking. That level of detail could convince many people (especially seniors) to trust the information contained in a malicious email. vpnMentor confirms this idea with “Hackers could easily trick victims by appearing as Pfizer’s customer-support department and referencing the conversations taking place in the transcripts. For example, many people were enquiring about prescription refills and other queries. Such circumstances give cybercriminals a great opportunity to pose as Pfizer and request card details in order to proceed with the refills.”

Armed with the person’s home address, name, and medical information, criminals could use techniques to gain access to additional information effectively “destroy a person’s financial wellbeing and create tremendous difficulty in their personal lives.” If malware was the goal, these bad actors could exploit the information found on the transcripts to lure unsuspecting victims in and infect their computers to do even more damage.

What Can Patients Do to Stay Safe?

Most Americans, at one time or another, are patients, and many are on prescription medication. To keep your identity safe at all times:

* Never give out personal details to anyone over the phone (especially if you think the call is being recorded).

* Do not share medical information with anyone.

* Never click a link in an email and watch out for suspicious phishing emails that offer deals that are too good to be true.

* Always keep your computer updated with the latest patches and antivirus software.

Your best defense is to use common sense and be on the lookout for email, text, and phone scams. If you do fall victim, report the incident to the police and the FTC immediately. 


About the Author
IDStrong Logo

Related Articles

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagra ... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “A ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the co ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% ... Read More

Clients’ Bank Data Exposed in Blackbaud Ransomware Attack

Blackbaud software was victim to a ransomware attack last May, and new information suggests that c ... Read More

Latest Articles

What is an Incident Response?

What is an Incident Response?

What is an Incident Response? After a bank heist, the work begins with specialized teams and plans engaged, allowing for analysis of the event, and from this analysis, the bank can prepare a response to the incident.

What is a Social Engineering Attack? Techniques and Ways to Prevent

What is a Social Engineering Attack? Techniques and Ways to Prevent

Everyone has received a spam text or email at some point. Their hallmarks are widely known; they often include poor or strange grammar, suspicious links, suggested connections with companies or people, or random individuals asking for help in some capacity.

Side Channel Attack: Everything You Need To Know

Side Channel Attack: Everything You Need To Know

Every year, millions of people get victimized by data breaches. Criminals steal their data from the network environments of organizations, vendors, providers, institutions, and governments; with ever-increasing frequency, cybercriminals are making big moves in the cyber wars—and making billions of dollars. 

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Free Identity Exposure Scan
Instantly and Securely Check if Your Personal Information is Exposed on the Dark Web or Sold by Data Brokers
Please enter first name
Please enter last name
Please select a state
Close
Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address
Close