Walgreens security breach leaked millions of patients' covid test data to hackers, including your birthday and home address
Did you or someone you know ever get tested for the Wuhan coronavirus (Covid-19) at a Walgreens pharmacy location? If so, you should probably know that your personal information, including test results, may have been stolen by hackers
Your name, birthday, "gender identity," phone number, address and email could have been one of the millions that were leaked in a massive data breach that even Walgreens admits probably also set loose people's covid test results.
Numerous vulnerabilities on the Walgreens website make it relatively easy for hackers to pry into people's pharmaceutical habits, security experts have warned. Walgreens should know better and update its site, but that has not happened yet.
As a result, anyone who does business with Walgreens could be standing out there "naked" in cyberspace somewhere, at least as far as their personal information and covid status is concerned.
about the breach explains that active unique patient IDs can easily be guessed, or a hacker could create a bot to rapidly generate new URLs in the hopes of striking "gold."
In a statement, Walgreens insisted that it "routinely" evaluates the security protocols on its website to ensure that personal patient data is protected at all times – but not everyone agrees.
"Any company that made such basic errors in an app that handles health care data is one that does not take security seriously," says Alejandro Ruiz, a consultant with a company called Interstitial Technology PBC, as quoted by a news source that reported on the vulnerabilities at Walgreens.
Rather than fix the problems after being notified about them, Walgreens reportedly ignored Ruiz's warnings and continued on as normal. The company also issued a canned statement about how "we regularly review and incorporate additional security enhancements when deemed either necessary or appropriate."
Walgreens knows about security vulnerabilities but is failing to address them
Not only do hackers have potential access to private Walgreens customer records but so do unscrupulous advertising and data-mining companies that might go in there and steal it all in order to sell it.
Since Walgreens refuses to do anything to try to protect this data, it is critical for people to know this about the pharmacy chain before they decide, or undecide, to do business there.
Why would anyone who wants to keep their covid status private ever choose to go to Walgreens for a test, for instance? Do people even know that their medical data is so easily siphoned from the Walgreens website?
Chances are that most people do not know about any of this, which is why we wanted to make you aware of it. These data vulnerabilities have been present at the Walgreens website for years
, and yet the company refuses to do anything about it.
"The technical process that Walgreens deployed to protect people's sensitive information was nearly nonexistent," warns Zach Edwards, a privacy researcher and founder of the analytics firm Victory Medium, as quoted by another media source.
"Security by obscurity is an awful model for health records," added Sean O'Brien, the founder of Yale's Privacy Lab.
As it turns out, there is a ton more data stored on the Walgreens website that is likewise vulnerable to hacking or some other kind of breach. While only the patient's name and type of test
are available on the public-facing side of the pages, there is a private-facing side that is just as susceptible to being "leaked," experts warn.
With just a few clicks in a browser's developer tools panel, the sky is the limit in terms of what could be extracted from the Walgreens website. Patients beware.
The latest Wuhan coronavirus (Covid-19) news can be found at Pandemic.news
Sources for this article include: