Unsecured Voice Transcripts Expose Health Data - AgainResearchers Find Pfizer Drug Customer Messages Accessible on Internet
For the second time within a week, it’s been revealed that sensitive voice messages containing patients’ information have been exposed on the internet.
This time, security researchers say they discovered more than 200 unsecured voice transcripts of patient calls to drug giant Pfizer’s automated customer support system exposed for at least two months on the internet due to a misconfigured Google Cloud Storage bucket.
The Pfizer news comes after the discovery of exposed customer voice transcripts belonging to Broadvoice, which offers voice over IP cloud-based telecommunications services to U.S. businesses (see: Sensitive Voicemail Transcripts Exposed). The Broadvoice database has since been secured. It included voicemail transcripts of patients leaving messages for clinics.
What Happened to Pfizer Transcripts?
In a report issued Tuesday, security researchers at vpnMentor write that they discovered the exposed voice transcript records in early July and contacted Pfizer about the problem three times before the pharmaceutical company finally responded on Sept. 22 and fixed the issue on Sept. 23.
Contained in the exposed records were personally identifiable information, including customers’ full names, home addresses, email addresses, phone numbers and partial details of health and medical status, the report says.
“The exposed files were stored on a misconfigured Google Cloud Storage bucket,” the vpnMentor report says.
“Initially, we suspected the misconfigured bucket to be related to just one of the medication brands exposed. However, upon further investigation, we found files and entries connected to various brands owned by Pfizer,” including Lyrica, Chantix, Viagra and cancer treatments Ibrance and Aromasin, the report says.
Eventually, the vpnMentor team concluded the exposed bucket most likely belonged to the company’s U.S. Drug Safety Unit. “Once we had concluded our investigation, we reached out to Pfizer to present our findings. It took two months, but eventually, we received a reply from the company.”
In a statement provided to Information Security Media Group, the pharmaceutical company says: “Pfizer is aware that a small number of non-HIPAA data records on a vendor-operated system used for feedback on existing medicines were inadvertently publicly available. We take privacy and product feedback extremely seriously. To that end, when we became aware of this event, we ensured the vendor corrected the issue and notifications compliant with applicable laws will be sent to individuals.”
Pfizer did not immediately respond to ISMG’s request for additional details.
A vpnMentor spokesman tells ISMG that misconfigurations, such as the one that led to exposing Pfizer’s transcription records, “happen following human error by the people setting up the accounts. They are often warned by the cloud infrastructure provider about the situation, but they could misunderstand the meaning and importance of the warning. In many cases, buckets are not initially meant to store sensitive data, but over time they are repurposed, and their settings are not adequately changed.”
The vpnMentor report notes that open, publicly viewable buckets, as in the Pfizer case, “are not a flaw of Google Cloud Storage,” but rather usually the result of an error by the owner of the bucket. “Google provides detailed instructions to users to help them secure buckets and keep them private,” vpnMentor writes.
“The simple reality is that cloud storage containers are easy to create and also easy to misconfigure or configure in an unsecure manner.”
—Jon Moore, Clearwater
Meanwhile, Google says it provides alerts when customers make potentially risky configuration decisions and provides one-click fixes if they choose to follow those recommendations.
Google says security products and features that its cloud customers can use to help protect and limit exposure of sensitive data include VPC service controls that prevent data exfiltration from cloud resources; identity and access management tools, including controls for the level of data access particular users have; and cloud data loss prevention tools.
Voice System Challenges
Voice systems are frequently missed when organizations identify their information assets used to create, receive, maintain or transmit electronic protected health information, says Jon Moore, chief risk officer of privacy and security consultancy Clearwater.
“We believe this is, at least in large part, because organizations struggle to keep an accurate inventory of these systems,” he says. “In many cases, we find the organization’s IT and IT security functions are completely unaware of their existence.”
Voice-related files also pose other security challenges, notes Keith Fricke, principal consultant at tw-Security.
“Certain file types, such as sound and audio files, are harder to encrypt than Excel, Word or a PDF file,” he says. “Because of the larger file sizes associated with sound and audio files, encryption can be slow and more challenging.”
IT misconfigurations can occur then customers of cloud services providers don’t pay adequate attention to security measures, some observers say.
“Many cloud service providers offer different support services with different layers of security that a subscribing customer may choose,” Fricke says. But deciphering the various services and settings offered can prove challenging.
Clearwater’s Moore adds: “The simple reality is that cloud storage containers are easy to create and also easy to misconfigure or configure in an unsecure manner.”
Strictly adhering to configuration management policies could help prevent these types IT misconfigurations, Fricke notes. But mistakes can happen when changes are not well documented, he explains.
“As many of us know, documentation has been the downfall of many IT staff,” Fricke says.
When working with cloud service providers, organizations should, “closely examine the support services contract … especially with the security model,” he advises. “Know what the vendor is responsible for and what you - the using organization - are responsible for. Be sure that those people tasked with configuring the security understand what and how to do it.”
Organizations must ensure they have adequate security safeguards in place in their cloud environments, Moore stresses.
Entities should evaluate their environments regularly “using scanning and search tools like Shodan so that they know what is publicly viewable,” he says.
“In addition, the leading cloud providers like Amazon, Microsoft and Google provide plenty of documentation and training on security in their environments, so any organization that is using a cloud provider should take advantage of these resources.”