Patient data exposed in breach of Pfizer cloud storage; report

Cybersecurity firm vpnMentor says that Pfizer has been hit by a major data breach that has exposed private details from prescription drug users in the US.

The breach related to conversations between Pfizer’s automated customer support software and people using its products like painkiller Lyrica (pregabalin), Chantix (varenicline) used to help people quit smoking, erectile dysfunction therapy Viagra (sildenafil), and cancer treatments Ibrance (palbociclib) and Aromasin (exemestane).

vpnMentor says the unsecured and unencrypted data was leaked from misconfigured Google Cloud storage, and included full names, home addresses and email addresses – potentially exposing patients to phishing attacks and other scams – along with confidential medical information.

Cybersecurity experts led by Noam Rotem and Ran Locar discovered the storage “bucket” containing the data as part of an ongoing web mapping project. It included transcripts of conversations as well as follow-ups when queries were “escalated” to support staff.

vpnMentor claim they discovered the breach in July, contacting Pfizer about it shortly after, but didn’t receive a response from the big pharma group until the third week of September, soe two months later.

“Pharmaceutical companies hold a great deal of responsibility to keep the data of their customers secure and private. Not only is this a moral responsibility. It’s the law,” says vpnMentor in its report.

“By exposing these transcripts to the public, Pfizer committed a basic lapse in data security and a breach of confidentiality, with significant implications for the wellbeing of the people exposed.”

A Crown Records Management (CRM) survey reported in 2017 found that around a quarter of respondents in the pharma industry were failing to report data breaches, despite the high level of personal data that drugmakers hold.

That poll suggested 15 per cent of 408 IT decision-maker respondents were unaware of who to report a breach to, while 23 per cent apiece either knew someone within their company who had failed to report a breach, or had failed to do so themselves.

That study took place before the EU introduced the General Data Protection Regulation (GDPR) in 2018, which requires personal data breaches to be reported within 72 hours of discovery.

Fines are starting to be levied on organisations who don’t adhere to those requirements. Last December, UK pharmacy chain Doorstep Dispensaree was fined £275,000 for “careless” storage of patient data under the GDPR.

By not securing the data exposed in this breach, Pfizer has made itself vulnerable to legal issues, according to vpnMentor. For example, if any of the individuals affected were residents of California, the company falls within the jurisdiction of the California Consumer Privacy Act (CCPA).

Commenting on the latest report, Sam Curry – chief security officer at cybersecurity specialist Cybereason – said that it shows how difficult it is difficult for even the largest companies in the world to secure their data.

“It's irrelevant whether an internal or external error led to this data breach, because the digital footprint for enterprises is expanding at such a rapid pace that errors will occur and data will be exposed,” he said.

“However, it is incumbent upon Pfizer to continue to do everything humanly possible to protect its IP, customer and partner data and all proprietary information,” he continued.

“In this case, Pfizer can't play the victim card as there certainly aren't any customers interested in hearing excuses,” according to Curry. “What they want is transparency and guarantees that the company will continue to make sure data protection is their top priority.

He said the breach should be a “wake up call” for all companies to improve their security and use threat hunting services to discover malicious operations quickly before material damage occurs.

SecuringIndustry.com contacted Pfizer for comment and received the following response:

"Pfizer is aware that a small number of non-HIPAA data records on a vendor operated system used for feedback on existing medicines were inadvertently publicly available. We take privacy and product feedback extremely seriously. To that end, when we became aware of this event we ensured the vendor corrected the issue and notifications compliant with applicable laws will be sent to individuals."