In a shocking display of negligence and incompetence, Walgreens left COVID testing data exposed and refused to fix the issue when notified.
Walgreens quickly emerged as one of the most popular places for individuals to get tested for COVID-19, even touting itself as “a vital partner in testing and community education.” Individuals could register online, take the test through the company’s drive-thru and receive the results via email.
Unfortunately, according to Recode, Walgreens left the data on the open web, where virtually anyone could gain access to it. The data included name, address, email address, gender, date of birth and phone number of those who were tested. In some cases, it was even possible to access test results.
According to Recode, Alejandro Ruiz, a consultant with Interstitial Technology PBC, found the security issues in March. Ruiz informed Walgreens of the issues, using multiple channels, but the company was not responsive.
To make matters worse, security experts told Recode the issues were so basic that any company with as large a web presence as Walgreens should have known how to avoid them. Ruiz believes it’s further evidence of Walgreens’ lack of concern.
“Any company that made such basic errors in an app that handles health care data is one that does not take security seriously,” Ruiz said.
Recode contacted Walgreens directly and gave them time to fix the vulnerabilities before publication. Shockingly, Walgreens refused to do so.
“We regularly review and incorporate additional security enhancements when deemed either necessary or appropriate,” the company told Recode.
As if the lack of security was not worrying enough, researchers found a number of ad trackers attached to the company’s testing confirmation webpages, including from Adobe, Akami, Dotomi, Facebook, Google, InMoment and Monetate, in addition to data-sharing partners.
“Just the sheer number of third-party trackers attached to the appointment system is a problem, before you consider the sloppy setup,” Sean O’Brien, founder of Yale’s Privacy Lab, told Recode.
The other security experts were even more damning in their evaluation of the situation.
“This is a clear-cut example [of this type of vulnerability], but with Covid data and tons of personally identifiable information,” said Zach Edwards, privacy researcher and founder of the analytics firm Victory Medium. “I’m shocked they are refuting this clear breach.”
“It’s just another example of a large company that prioritizes its profits over our privacy,” Ruiz said.