Pharmaceutical giant Pfizer has suffered a data breach in which sensitive patient call transcripts of hundreds of American prescription drug users were left exposed on a misconfigured public cloud server.
The exposed data reportedly included automated call transcripts in which patients discuss prescription drugs manufactured by Pfizer including Lyrica, Chantix, Viagra, and cancer treatments Ibrance and Aromasin.
The call transcripts contained other personal data, including full names, home addresses, email addresses, phone numbers and partial medical details.
Security researchers Noam Rotem and Ran Locar, along with vpnMentor’s cybersecurity team, discovered the data on a misconfigured Google Cloud Storage bucket on 9 July this year. In the course of their investigation, they concluded that the exposed bucket most likely belonged to Pfizer’s US Drug Safety Unit.
The researchers said it took two months to receive a reply from Pfizer, which said:
“From the URL you gave, I failed to see how it is important Pfizer data (or even an important data at all).”
When the researchers sent a sample of the customer data to the pharmaceutical giant, the exposed data was taken offline on 23 September, according to vpnMentor. Pfizer did not reply to any other correspondence, the researchers claim.
A Pfizer UK spokesperson told Verdict:
“Pfizer is aware that a small number of data records on a US vendor operated system used for feedback on existing medicines were inadvertently publicly available. This affected US-based individuals only. We take privacy and product feedback extremely seriously. To that end, when we became aware of this event we ensured the vendor corrected the issue and notifications compliant with applicable laws have been sent to individuals.”
While the number of people affected by the Pfizer breach is relatively small when compared to other data leaks, the sensitive nature of the medical data could put them at risk to targeted phishing and fraud attempts by any cybercriminal that came across the publicly accessible data.
“Targeting victims with extremely personal data can be very effective as those affected believe there would be no other way to locate such information,” said Jake Moore, cybersecurity specialist at ESET.
“The sender instantly gains the trust of the victim and further damage can quickly occur such as loss of money or even extortion.”
Sam Curry, chief security officer at Cybereason, added:
“In this case, Pfizer can’t play the victim card as there certainly aren’t any customers interested in hearing excuses. What they want is transparency and guarantees that the company will continue to make sure data protection is their top priority.”
This article was updated to include a statement from Pfizer.