If you got tested for the coronavirus through the company’s pharmacy, your personal information may have been left unsecured on the web.
Patient information such as names, phone numbers, addresses, emails and even positive or negative results were vulnerable to exploitation. Millions of people used Walgreens’ testing services over the course of the pandemic, and continue to do so. Security experts believe the vulnerabilities found on the company’s website are basic issues that they should have known to avoid.
Walgreens was notified by multiple entities of the vulnerability, however the company was unresponsive. Data security is extremely important in today’s technological age. With how quickly the testing registration was implemented, it’s clear that the privacy and security of patients was not fully considered.
To sign up for a COVID-19 test, the company requires a host of information from the patient before giving them a unique confirmation page upon submission. According to Recode, Walgreens’ online test registration lets anyone who has the link to the confirmation page see what information is listed there. There’s no authentication process or log in required, and the page stays active for 6 months or longer. In addition to this, anyone who has access to a patient’s browser history can see the page, including anyone on a public or shared computer.
All URLs for the confirmation page are the same, except for a unique patient ID. Those IDs could be guessed, or generated by a bot in search of active pages. Experts note it would be nearly impossible for a hacker to exploit any active pages in such a way, however the possibility is still there. It’s also important to note that this issue applies to front-facing web pages, and not the ones on the back end.
Patient health information may have been left open to ad trackers as well. According to experts, there’s a number of trackers on Walgreens confirmation pages, where companies who own these trackers (like Google, Facebook, Adobe and Akami) could be taking these confirmation IDs and recording the information therein.
Walgreens did not fix the vulnerability before Recode’s deadline, and gave no indication if it had plans to do so.
Who’s Got Your Data?
Need an estimate? Request a quote below!