Global pharmaceutical company Pfizer inadvertently exposed Personal Identifiable Information (PII) of hundreds of prescription drug users in the U.S. after its misconfigured Google Cloud Storage bucket was left online. According to security experts from vpnMentor, the bucket contained prescriptions and transcripts between users of various Pfizer drugs like Lyrica, Chantix, and cancer treatments Ibrance, and Aromasin, and the company’s interactive voice response (IVR) customer support software.
The misconfigured bucket leaked hundreds of transcripts including their personal data like full names, home addresses, email addresses, phone numbers, partial details of health, and medical status. The misconfigured cloud bucket is now secured after vpnMentor’s researchers reported the issue.
What’s the Impact?
While there is no information on whether any threat actors accessed the leaky database, vpnMentor’s researchers stated that cybercriminals could exploit the leaked data by targeting drug users in phishing campaigns and other fraudulent schemes.
“If cybercriminals succeeded in tricking a victim into providing additional PII data, they could use this to pursue various forms of fraud, including total identity theft. In doing so, they could destroy a person’s financial well-being and create tremendous difficulty in their personal lives. Furthermore, there is a high probability the people exposed in these transcripts are experiencing ill health, physically, and emotionally,” the researchers added.
Worth of Medical Data
A survey from cybersecurity firm Carbon Black stated the rate of cyberattacks on the health care industry appears to be increasing exponentially. Carbon Black disclosed what is happening to the Personal Health Information (PHI) that was stolen by cybercriminals. The survey, which involved 20 of the health care industry’s Chief Information Security Officers (CISOs), found the health care sector being targeted because of how lucrative PHI is when compared to other personal data like credit card numbers. It is said that personal health information is worth three times more than other personal information since the health information never changes and can be used by cybercriminal groups for extortion or compromise.