The database of 1,148,327,940 items, totaling 204 GB of data, consists of user logs, which is the type of data a website keeps about its visitors. Most of these items were boring, "add to cart, settings, dashboard, index-patterns, more detailed refinement, order, remove from cart, search, server," researcher Jeremiah Fowler said today (June 16) in a WebsitePlanet site in a blog post.

There were randomly generated user IDs and session IDs, as well as slightly more sensitive information such as whether visitors were accessing the website from a smartphone or a desktop computer. The data also showed what people searched for on the various websites operated by CVS.

User IDs are not supposed to be linked to specific individuals, and CVS's website appears to be set up in such a way that this is not the case.

Unfortunately, the database also contained a number of e-mail addresses that should not be there. It appears that some users typed their email addresses into the search bar on the CVS website, especially if they were accessing the site from a cell phone.

"Upon reviewing the mobile version of the CVS site, visitors may have believed they were logged into their account, when in fact they may have entered their own email address into the search bar," Fowler wrote in his report.

"This would explain how so many email addresses ended up in a product search database that was not intended to identify visitors.

Because the database was available to Fowler and his fellow researchers for such a short period of time, they were unable to ascertain how many email addresses in total were exposed.

Because many of these email addresses contained some or most of the names of individuals, it would have been possible to match these email addresses with user IDs to see what those individuals searched for and purchased on the CVS website. Credit card and other financial information was not included in the database.

Spammers and fraudsters could also have used these email addresses to target people, but it is unclear how long the database was left unprotected online or whether anyone stole data from it.

Fowler and his colleagues on the WebsitePlanet investigation team notified CVS Health, CVS's parent company, on March 21 when they discovered the database, and CVS Health locked down the database that same day.

CVS Health informed Fowler that the database was operated by an unnamed third-party vendor.

"We were able to contact the vendor and they took immediate action to remove the database," Fowler quoted CVS Health as saying.

"Protecting our customers' and our company's personal information is a top priority, and it is important to note that the database did not contain any personal information about our customers, members, or patients.

CVS is more than a retail drugstore that began in New England and has spread across the country in the past few decades. Its parent company, CVS Health, also owns and operates CVS Caremark Prescription Drug Management Company, which your company may use to fulfill prescriptions under your health plan.

If that's not big enough, CVS Health also acquired 200-year-old insurance giant Aetna in 2018. The company currently ranks fourth on the Fortune 500 list of America's largest companies by revenue, behind Walmart, Amazon, and Apple.

However, as Fowler noted in his blog post, the data breach does not appear to be CVS Health's fault.

"Whether it was a configuration error that exposed the database or a website visitor who typed his or her email address into the search bar, there is only human error to blame," Fowler wrote. [33] [34] "We are not implying fraud by CVS Health, its contractors or vendors. Nor does it imply that customers, members, patients, or website visitors are at risk. The theory described here is based on hypothetical possibilities of how this data could be used."