Sensitive personal test info left exposed online
Walgreens allegedly left the personal details of patients who took COVID-19 tests at their pharmacies exposed to the public. The data leak affects millions of patients who used Walgreens; COVID-19 testing services.
The highly sensitive patient information was left exposed online for anyone to see.
Walgreens is the second-largest pharmacy chain in the United States with over 9,000 locations. Walgreens also owns Duane Reed and Boots. The chain is second only to CVS.
“Multiple security experts told Recode that the vulnerabilities found on the site are basic issues that the website of one of the largest pharmacy chains in the United States should have known to avoid,” says a post on Recode.
Exposed personal data includes:
- Patient name
- Phone number
- email address
- Order ID
- Name of the lab
Some COVID-19 test result data was also exposed.
The cause of the security vulnerability was the Walgreens appointment registration system. When someone completes the patient registration form and submits it online, they received a 32 digit ID assigned to them with their appointment request.
The identification number was also used as part of the website URL to access their patient information. No login credentials were required to see the patient data or test results.
The problem is that URL to see any patient’s information is the same. You can guess at it by tacking on the ID number. If you randomly guess someone’s registration number, you can see anyone’s private registration information.
That means anyone can randomly guess at the ID numbers and see someone’s patient information. it also means that anyone with access to your web browser history can see your COVID-19 registration information and possibly test results. This is especially concerning for anyone who registered for a test on a public computer or at work.
“Walgreens told Recode that it was a top priority to protect its patients’ personal information, but that it also had to balance the need to secure information with making Covid-19 testing “as accessible as possible for individuals seeking a test.”
Walgreens has not fixed this security vulnerability according to Recode.