An improperly configured Google Cloud storage bucket caused the exposure of personally identifiable data from October 2018 to July 2020, according to VPNMentor researchers. Also included in the cloud were transcripts of conversations about Advil, which Pfizer manufactures in a partnership with GlaxoSmithKline.
Researchers at VPNMentor discovered the data breach and notified Pfizer of the problem on July 13. The company responded on Sept. 22 and remediated the breach on the following day.
Patient data available in the breach included names, phone numbers, medical status in addition to home and email addresses. Also exposed in the breach were transcripts from users of a variety of Pfizer drugs who had interacted with voice-activated customer support software.
“Initially, we suspected the misconfigured bucket to be related to just one of the medication brands exposed,” the VPNMentor researchers wrote. “However, upon further investigation, we found files and entries connected to various brands owned by Pfizer.”
In a statement to ThreatPost, a Pfizer spokesperson stressed that the breach related to “a small number of non-HIPAA data records on a vendor-operated system used for feedback on existing medicines.” The spokesperson added that the vendor managing the system has since corrected the problem and that Pfizer is ensuring that “notifications compliant with applicable laws will be sent to individuals.”