Walgreens ’Covid test registration system discloses patient data
If you get a Covid -19 test at Walgreens, your own data – including your name, date of birth, birth gender, phone number, address, and email – is left on the open web for potential someone can find and for many ad trackers on Walgreens site to collect. In some cases, even the results of these tests can be derived from that data.
Disclosure of the data could potentially affect the millions of people who have used – or continue to use – Walgreens ’Covid -19 testing services in the course of the pandemic disease.
Several security experts told Recode that the vulnerabilities found on the site are key issues that the website of one of the largest pharmacy chains in the United States should have. know to avoid. Walgreens has self -promoting as an “essential testing partner,” and the company paid for the tests by insurance and government companies.
Alejandro Ruiz, a consultant with Interstitial Technology PBC, discovered the issues in March after a family member took a Covid-19 test. He said he contacted Walgreens via email, phone, and through the website form of security. The company was unresponsive, he said, which he was not surprised by.
“Any company that makes such basic mistakes in an app that manages healthcare data is one that doesn’t take security seriously,” Ruiz said.
Recode informed Walgreens of Ruiz’s findings, which were confirmed by two other security experts. Recode was given time by Walgreens to fix the vulnerabilities prior to publication, but Walgreens did not.
“We regularly review and incorporate additional security improvements if deemed necessary or appropriate,” according to the Recode company.
People’s sensitive data may be exposed to many ads and company data to use for their own purposes, or they may be disgusted from taking a Covid-19 trial from Walgreens otherwise. they are confident that their data is secure. The weaknesses of the platform as well another one example how the technology meant to help in the effort to stop the pandemic was built or implemented quickly and unprepared to be fully carried out privacy and security to the account.
Nor will Walgreens say how long the trial registration platform has had these vulnerabilities. They will be back at least until March, when Ruiz discovers them, and probably much longer than that. Walgreens has offered Covid-19 trials from April 2020, and the Wayback Machine, which stores internet archives, SHOWS the test confirmation data pages are blank as of July 2020, indicating that the issue is still from the furthest.
The problems are with Walgreens ’Covid-19 tutoring system, which should be used by anyone who wants to take a test from Walgreens. (unless they buy one over-the-counter test). After the patient fills out and submits the form, a unique 32-digit ID number is given to them and an appointment request page is created, with the unique ID at the URL.
Anyone with a link to that page can find the information here; no need to prove they are the patient or log in to an account. The page remains active for at least six months, if not more.
“The technical process that Walgreens employs to protect people’s sensitive information is almost non -existent,” Zach Edwards, privacy researcher and founder of analytics firm Victory Medium, told Recode.
The URLs for these pages are identical except for a unique patient ID that is included in what is called a “string string” – the part of the URL that begins with a question mark. As millions of tests at more than 6,000 Walgreens test sites are run using this registration system, there are likely to be millions of active IDs out there. An active ID can be predictive, or a determined hacker can make a bot quickly generate URLs in hopes of hitting any active pages, security experts told Recode, giving them a source of biographical data about the people they could be likely to be used for hacking their accounts on other sites. However, no matter how many characters are in the IDs and therefore how many combinations, they say it’s almost impossible to find just one active page like this – even with the millions of them out there. Of course, the near impossible is not the same as the impossible.
Anyone with access to someone’s browsing history can also find the page. That could include an employer logging employees ’internet activities, for example, or someone accessing browser history on a public or shared computer.
“Security through the dark is a terrific model for health records,” said Sean O’Brien, founder of Yale’s Privacy Lab, told Recode.
What makes this potential removal even more serious is how much data is stored on the website and who else can access it. The patient’s name, test patient, and time and location are only visible on public-facing pages, but more so behind the scenes, accessible via any browser.
As it does with vaccination appointments, Walgreens requires a lot of personal data to register for one of its tests: full name, date of birth, phone number, email address, mailing address, and gender identity. And with a few clicks on the browser’s developer tools panel, anyone with access to the patient-specific page can find this information.
Along with an “orderId,” as well as the name of the lab that performed the test. That’s all the information a person needs to access test results through at least one of the Covid-19 test results portals of Walgreens ’lab partners, regardless of the results only from the last 30 days will apply if a Recode reporter is watching him.
Ruiz and other security experts Recode spoke to also expressed alarm at the number of trackers Walgreens has put on its confirmation pages. They flagged the possibility that companies that own trackers – including Adobe, Akami, Dotomi, Facebook, Google, InMoment, Monetate, as well as any of their data -sharing partners – could eat up those patient ID, which may be available. know the URLs of the instruction pages and access the information they hold.
“Just having too many third -party trackers included in the instruction system is a problem, before you even think about the sloppy setup,” Yale’s O’Brien said.
Analysis from Edwards, the privacy researcher, found that many of the companies obtained URIs, or Uniform Resource Identifiers, from appointment pages. That can be used to access patient data if the company that received them is very interested. He said this kind of leak is the same as what he discovered on websites including Wish, Quibi, and JetBlue in April 2020 – but “even worse,” because only email addresses were released in the cases.
“It’s a deliberate ad tech data run, which is really frustrating, or a big mistake that puts Walgreens customers at risk of data supply chain breaches,” Edwards said.
Walgreens told Recode that it is a “top priority” to protect patients ’personal information, but it also needs to balance the need to ensure the information making the Covid-19 test is“ accessible as far as possible for individuals seeking a trial. “
“We continue to explore our technology solutions to provide safe, secure, and accessible digital services to our customers and patients,” Walgreens said.
“This is a clear example [of this type of vulnerability], but has Covid data and tons of personally identifiable information, ”Edwards said. “I’m shocked they dismissed the clear violation.”
Data on Ruiz’s family member, along with possibly millions of other patients, remains to this day.
“It’s also just an example of a big company putting profits before our privacy,” he said.