Walgreens ‘error’ lets customers view other peoples’ prescriptions, names and shipping addresses in the app
- Walgreens says a bug in its official mobile app may have exposed sensitive data
- The error leaked information in the app, allowing other users to view it
- The data included names, prescription details, store numbers and addresses
- The issues occurred January 9, but Walgreens fixed it on January 15
Millions of consumers have downloaded the Walgreens mobile app and found some are victims of an online leak.
The American company released a statement saying details such as names, prescriptions, store numbers and addresses were exposed for other users to see.
The firm did not classify how many of the app’s users were impacted by the ‘error’, but did note that ‘sensitive drugs prescription details were only exposed for a small percentage of the total users who were affected.’
The flaw was discovered as having started on January 9, but was rectified by January 15 – however, customer’s personals details were exposed for nearly a week.
Walgreens, the second largest American pharmacy, sent a breach notification letter to customers acknowledging the leak, which the firm said it fixed on the day it learned of the error.
Walgreens released a statement that details such as names, prescriptions, store numbers and addresses were exposed for other users to see. The firm did not classify how many of the app’s users were impacted by the ‘error’,
‘On January 15, 2020, Walgreens discovered an error within the Walgreens mobile app personal secure messaging feature,’ the letter states.
‘Our investigation determined that an internal application error allowed certain personal messages from Walgreens that are stored in a database to be viewable by other customers using the Walgreens mobile app.‘
‘Once we learned of the incident, Walgreens promptly took steps to temporarily disable message viewing to prevent further disclosure and then implemented a technical correction that resolved the issue.’
The bug was found to let app users see other people’s health-related information, which included first and last names, prescription data, store number and shipping address.
However, Walgreens did say that no financial information such as social security numbers or banking information was involved in the leak.
Walgreens, the second largest American pharmacy, sent a breach notification letter to customers acknowledging the leak, which the firm said it fixed on the day it learned of the error – January 15
‘Walgreens promptly took steps to disable the message viewing feature within the Walgreens mobile app to prevent further disclosure until a permanent correction was implemented to resolve the issue,’ the firm writes in the letter.
‘Walgreens will conduct additional testing as appropriate for future changes to verify the change will not impact the privacy of customer data.’
For those who use the mobile app to manage their prescriptions, Walgreens suggests monitoring your records.
‘Even though no financial information was involved, we have enclosed information on steps you can take to further protect your information, and how to obtain a free copy of your credit report from each of the three (3) major credit reporting agencies as a courtesy for your reference,’ the firm shared.
The company interacts with approximately 8 million customers in its stores and online each day, and filled 1.2 billion prescriptions on a 30-day adjusted basis in fiscal 2019, according to its website.
One of the issues at hand is that the leak goes against the Health Insurance Portability and Accountability Act (HIPAA) – not only are the consumers at risk, but Walgreens could face consequences.
Under HIPAA regulations, it’s a federal crime in the US for any health services provider to expose protected health information (PHI) that could be used to identify an individual.
HIPAA violations can result in fines of up to $50,000 for every exposed record, or even in jail time.