Poorly designed Walgreens Covid test registry left sensitive data on MILLIONS of patients unprotected – reports

Sensitive health data on millions of people was left vulnerable due to a badly designed testing registry set up for the Walgreens pharmacy chain, potentially making private records accessible to the public, Recode reported.

Personal data – including names, birthdays, gender information, phone numbers as well as email and home addresses – was left freely viewable on the web thanks to how the Walgreens registry is designed, a vulnerability first noted on Monday by Recode, an affiliate of Vox. 

One of the country’s largest drugstore chains, Walgreens oversees some 6,000 testing sites across the US. To date, millions of people have gone through the company’s system.

The primary issue lies with Walgreens’ appointment registration system for those seeking on-site testing. Customers are asked to fill out a form and assigned a unique, 32-digit ID number, which is then linked up to a user page for that particular appointment. The URL for the appointment page contains the 32-digit ID number, and the page stays live for at least six months.

However, because the pages are not password-protected and require no login credentials to be accessed, anybody with the URL can view them, making for a “nearly nonexistent” security protocol for user data, according to Zach Edwards, a privacy researcher who spoke with Recode.

Except for the 32-digit ID number, the URLs for the appointment pages are identical, meaning that active IDs could be guessed by merely replacing certain numbers in the URL. Or, as security experts noted to Recode, a more dedicated hacker could create a bot to rapidly generate URLs to root out active pages, which would then give them access to a variety of biographical information on users. Anybody with access to a user’s browsing history could also view their appointment page.

While the public-facing appointment pages themselves contain only a patient’s name, the type of test received and the time and location of their appointment, much more data is accessible using tools found on any modern internet browser. In just a few clicks, one can access a browser’s developer tools panel and see the guts of a particular webpage – which, in the case of Walgreens’ appointment pages, reveals more sensitive patient information.

Walgreens has been aware of the vulnerability at least since March, when a consultant at an IT firm first discovered it and alerted the company to a potential issue. The consultant, Alejandro Ruiz, said he first noticed the problem after a family member obtained a Covid-19 test through the drugstore chain, telling Recode that he had contacted Walgreens by phone, email and even through the company’s online security form. He has yet to receive a response, he said.

“Any company that made such basic errors in an app that handles health care data is one that does not take security seriously,” Ruiz said.

While Ruiz’s findings were corroborated by two other cyber security experts reached by Recode, and the outlet forwarded their conclusions to Walgreens, the company has not altered its registry and did not say it had any plans to do so, nor did it even acknowledge any potential privacy issue in the first place.

Instead, it told the outlet that protecting customers’ privacy was its “top priority,” adding “We regularly review and incorporate additional security enhancements when deemed either necessary or appropriate.”

The privacy issues don’t end with the company’s appointment registry, however. Ruiz and other security experts voiced concerns that Walgreens had placed a large number of trackers on its appointment pages, which collect certain information and send them off to third-parties for advertising purposes. That means that Walgreens’ data-sharing partners – including Adobe, Akami, Dotomi, Facebook, Google, InMoment and Monetate – could have access to the sensitive data as well – a move Edwards said could even be deliberate.

“This is either a purposeful ad tech data flow, which would be truly disappointing, or a colossal mistake that has been putting a huge portion of Walgreens customers at risk of data supply chain breaches,” he said, also noting the company still hadn’t acknowledged the problem.

This is a clear-cut example [of this type of vulnerability], but with Covid data and tons of personally identifiable information. I’m shocked they are refuting this clear breach.

Think your friends would be interested? Share this story!