On February 11, 2022, CVS Pharmacy experienced a data breach discovered on January 6, 2022, due to automated **password spraying** attacks targeting customer accounts. The incident potentially exposed sensitive personal information, including **customer names, dates of birth, mailing addresses, email addresses, and limited prescription details**. While the exact number of affected individuals remains undisclosed, the breach posed a significant risk of unauthorized access to customer data, raising concerns over identity theft, prescription fraud, or targeted phishing scams. The attack exploited weak or reused credentials, highlighting vulnerabilities in CVS’s authentication mechanisms. No ransomware was involved, but the compromise of prescription-related data—even if limited—intensified privacy and regulatory compliance risks under healthcare data protection laws like **HIPAA**. The breach underscored the need for stronger cybersecurity measures, such as multi-factor authentication (MFA) and monitoring for credential-stuffing attempts.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-550888
TPRM report: https://www.rankiteo.com/company/cvs-pharmacy
"id": "cvs1015090725",
"linkid": "cvs-pharmacy",
"type": "Breach",
"date": "1/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Unknown',
'industry': 'Healthcare/Pharmacy',
'location': 'United States (Primarily California)',
'name': 'CVS Pharmacy',
'type': 'Corporation'}],
'attack_vector': 'Password Spraying',
'data_breach': {'data_exfiltration': 'Likely (Unauthorized Access Confirmed)',
'number_of_records_exposed': 'Unknown',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII and Health-Related Data)',
'type_of_data_compromised': ['Personal Information',
'Prescription Information '
'(Limited)']},
'date_detected': '2022-01-06',
'date_publicly_disclosed': '2022-02-11',
'description': 'The California Office of the Attorney General reported a data '
'breach involving CVS Pharmacy, discovered on January 6, 2022. '
'The breach resulted from automated attempts to log in to '
'customer accounts through password spraying, potentially '
'compromising personal information such as customer names, '
'dates of birth, mailing addresses, email addresses, and '
'limited prescription information. The number of affected '
'individuals is unknown.',
'impact': {'brand_reputation_impact': 'Potential Negative Impact (Undisclosed '
'Severity)',
'data_compromised': ['Customer Names',
'Dates of Birth',
'Mailing Addresses',
'Email Addresses',
'Limited Prescription Information'],
'identity_theft_risk': 'High (Personal Information Exposed)'},
'initial_access_broker': {'entry_point': 'Customer Account Credentials '
'(Password Spraying)',
'high_value_targets': 'Customer Personal and '
'Prescription Data'},
'investigation_status': 'Disclosed; Further Details Unclear',
'post_incident_analysis': {'root_causes': 'Weak Authentication Mechanisms '
'(Susceptibility to Password '
'Spraying)'},
'references': [{'date_accessed': '2022-02-11',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Potential HIPAA (Health '
'Insurance Portability and '
'Accountability Act) '
'Violations',
'California Consumer '
'Privacy Act (CCPA) '
'Notification '
'Requirements'],
'regulatory_notifications': 'California Office of '
'the Attorney General'},
'response': {'communication_strategy': 'Public Disclosure via California '
'Office of the Attorney General'},
'title': 'CVS Pharmacy Data Breach via Password Spraying Attack',
'type': 'Data Breach',
'vulnerability_exploited': 'Weak or Reused Credentials'}