Level 78
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Pharma giant Pfizer has leaked the private medical data of prescription-drug users in the U.S. for months or even years, thanks to an unprotected Google Cloud storage bucket.

The exposed data includes phone-call transcripts and personally-identifiable information (PII), according to vpnMentor’s cybersecurity research team. The victims include people using pharmaceuticals like Lyrica, smoking-cessation aid Chantix, Viagra, menopause drug Premarin, and cancer treatments such as Aromasin, Depo-Medrol and Ibrance. Some of the transcripts were related to conversations about Advil, which is manufactured by Pfizer in a joint venture with GlaxoSmithKline.

“Initially, we suspected the misconfigured bucket to be related to just one of the medication brands exposed,” researchers explained. “However, upon further investigation, we found files and entries connected to various brands owned by Pfizer. Eventually, our team concluded the bucket most likely belonged to the company’s U.S. Drug Safety Unit (DSU).”

The PII includes full names, home addresses, email addresses, phone numbers, and partial details for health and medical status, vpnMentor noted. But perhaps more concerning are the transcripts, which are related to Pfizer’s automated customer-support system.

The company captured conversations with customers calling into the company’s interactive voice response (IVR) customer support asking about refills, side-effects and the like.

“The folder containing the transcripts was named ‘escalations,’ suggesting they were part of an automated internal process managing customer queries and complaints,” according to a vpnMentor blog post on Tuesday. “We also reviewed transcripts in which the conversation was ‘escalated’ to human customer support agents. It appeared these agents were registered nurses representing Pfizer in matters relating to its pharmaceutical brands.”