MILLIONS of patients could have had their private information leaked through Walgreens’ Covid testing system, according to a new report.
Personal data including home numbers, names, addresses, date of births and email addresses were published on the open web, exposing it to anyone, including ad trackers on the store’s site.
In some cases, even the results of Covid tests were posted on the open web, as reported by Recode.
Security experts told the site the weaknesses on Walgreens’ website are basic and should have been easily avoidable.
They stem from the company’s Covid test appointment registration system, which gives a unique 32-digit ID number to every patient who submits a form to get a test.
Once patients submit the form, they are sent to a new an appointment request page, which includes the unique ID in the URL.
There are no personal verification steps or requirements so anyone with the link can see the page, which stays active for as long as six months and even longer.
More than 6,000 Walgreens testing sites used this registration system, so millions of unique IDs have been created.
This ID offers many ways for hackers to steal the personal data of these patients, as they can create bots that generates countless URLs in order to hit an active page containing private information and use that information to try to hack their accounts on other sites.
Experts say, however, that it would be close to impossible for hackers to find active pages this way, because of the number of characters in the unique IDs and possible combinations.
But anyone who has access to a patient’s browsing history could potentially access the page and thus the private information.
While only the patient’s name, type of test, and appointment time and location are visible on the public page, Walgreens requires someone’s full name, date of birth, phone number, email address, mailing address, and gender identity to register for an appointment.
And all of that data can be accessed in a browser’s developer tools panel.
Moreover, to get the results of a Covid test through at least one of Walgreens’ lab partners’ portals, all someone needs is the “orderId” and the name of the lab that performed the test.
Another concern is the number of third-party trackers in Walgreens’ confirmation pages. Companies like Adobe Facebook and Google own these trackers and could have access to the unique IDs and thus patient information.
Technology consultant Alejandro Ruiz says he discovered the vulnerabilities in Walgreens’ system in March, when a family member got a Covid test at one of the stores.
Ruiz tried to contact the company through every possible avenue but the pharmacy chain, one of the biggest in the country, was completely unresponsive to his concerns.
Recode says it also reached out to Walgreens with Ruiz’ concerns and even gave the company time to fix the issues before publishing the allegations but Walgreens failed to do so.
The company did say that while protecting patient’s data was a “top priority,” it also had to make Covid tests “as accessible as possible.”
It’s unclear how long Walgreens’ registration system has had these issues, but the company started offering Covid testings in April 2020.
