Customer-facing apps provide the means to enhance customer experiences and cost-effectively boost revenues. However, they also pose mobile security challenges.
Walgreens, the United State’s second-largest drugstore chain, recently announced a data breach that might have exposed personal health information (PHI). According to a notice by the California attorney general’s office, pharmacy giant Walgreens encountered a serious breach in its customer data, due to a flaw in its customer mobile app.
On January 15, 2020, officials said they first discovered an error in the Walgreens personal secure messaging features and launched an investigation. Although the flaw only concerned the private messaging feature of the app, they found a data compromise, which allowed personal messages stored on its database to be viewable by other customers. It made key personal and medical details available to customers other than those whose data was being exposed. These details included first and last names, prescription numbers and drug names, store numbers, and shipping addresses.
Walgreens has confirmed that the breach was isolated to the period between January 9 and January 15, 2020 but Walgreens says this “limited health-related information” was only leaked for a small percentage of impacted users. . They also confirmed that the app’s messaging feature was closed until the flaw could be fixed, and their app testing regime would be strengthened.
The privacy of third-party applications has been a point of dispute as the Department of Health and Human Services prepares the completed interoperability and information blocking regulations, given the rules’ heavy dependence on third-party apps. The Department of Health and Human Services has reminded healthcare companies that third-party applications chosen by patients are frequently exempt from HIPAA regulations.
This incident is a painful reminder that data breaches can and do occur in places that are not immediately to be expected. As ever, security controls, monitoring, and testing must be continuously reviewed and updated.
Just a few months later, it seems that they didn’t learn their lesson. Walgreens announced yet another data breach that might have exposed the personal health information (PHI) of more than 72,000 people throughout the country.
In late May and early June, unidentified criminals entered into multiple Walgreens shops and took prescription information and other data. Customers’ prescription information was taken during the May riots, according to Walgreens spokesperson Jim Cohn, when roughly 180 of the company’s 9,277 stores were robbed. In a letter to affected individuals dated July 24, Walgreens said the data was compromised sometime between May 26 and June 5 as various individuals broke into multiple Walgreens stores and stole items containing health-related information.
The following information was exposed:
Photo ID number – Driver’s license, state ID, military ID, or passport (e.g., for purchases such as pseudoephedrine)
Clinical information such as medication name, strength, quantity, and description
The prescription number along with prescriber name, health plan name, and group number
Vaccination information including eligibility information
Balance rewards number
As compensation, the impacted customers were offered one year of credit monitoring free of charge and were given advice on how to obtain and monitor credit reports. Customers were further advised to “follow-up with your insurance company or the care provider for any items you don’t recognize.”
The incidents are a reminder that our personal data is not limited to the digital world and as health care organizations try to guard their networks from hackers, physical attacks can also compromise sensitive customer data. The paper trail we leave behind has an equal chance to fuel an identity thief’s next attack.
Free for up to 5 users.
No credit card needed.