Millions of Walgreens customers who tested for COVID-19 at the nationwide pharmacy had their personal information exposed online for anyone to see, Recode reported.
The information publicly available included names, birth dates, phone numbers, addresses, and emails. An unauthorized person could also view some customers’ test results. Security experts say the second-largest pharmacy chain could have easily avoided the flagrant privacy violations in the country.
A technology consultant discovered the security hole after a family member got tested in March. The consultant reached out to Walgreens repeatedly with no response. Recode said it verified the flaw and gave Walgreens a chance to fix the error before publishing its story, but the company did not.
“Any company that made such basic errors in an app that handles health care data is one that does not take security seriously,” Ruiz told Recode.
The pharmacy’s appointment booking platform sends customers a link after they book, including an automatically generated unique ID. Anyone who has that link—the same for everyone aside from the ID number—can view all of the available information without logging into any system.
“The technical process that Walgreens deployed to protect people’s sensitive information was nearly nonexistent,” analytics researcher Zach Edwards told Recode.
The front-facing page only displays a patient’s name and the time and location of their appointment. But by using the ID number, one can search for more detailed patient information on one of Walgreens’ partnered labs websites.
“This is either a purposeful ad tech data flow, which would be truly disappointing, or a colossal mistake that has been putting a huge portion of Walgreens customers at risk of data supply chain breaches,” Edwards added.
“We continually evaluate our technology solutions in order to provide safe, secure, and accessible digital services to our customers and patients,” Walgreens told the outlet when pressed. The company said it has attempted to balance its “top priority” of protecting patients’ information with making coronavirus testing “as accessible as possible.”
Walgreens has offered COVID-19 testing since April 2020 at its 6,000 locations. The federal government and insurance companies reimburse many of the costs of COVID testing that Walgreens incurs.
The consultant who first discovered the vulnerability said his family member’s information is still publicly viewable.
“It’s just another example of a large company that prioritizes its profits over our privacy,” he declared.
Related
Related
