Vulnerability in Walgreens Mobile App Secure Messaging Feature Made PHI Accessible

Walgreens has started contacting customers to make them aware that a portion of their protected health information may have been accessed by unauthorized individual due to an error in the personal secure messaging feature of the Walgreens mobile app.

The secure messaging includes a feature that allow registered customers to manage and receive SMS prescription refill notifications and deals and coupons. A vulnerability in the app was discovered that permitted allowed specific information in its database to be viewed by other people.

Impacted customers have been warned that one or more personal messages may have been seen by other people between January 9, 2020 and January 15, 2020. The personal messages included patients’ first and surnames, drug name and prescription number, store number, and shipping address. Walgreens has disclosed that health-related information was only accessible for a restricted number of affected customers. The messages did not include any Social Security numbers or financial data.

According to a breach notice published on on the California Attorney General on Friday, the error was discovered by Walgreens on January 15, 2020. Walgreens quickly turned off message viewing to prevent any further unauthorized disclosures while the incident was examined. Walgreens found that an internal application error was to blame and a technical correction was conducted to address the issue.

The Walgreens mobile app has been installed more than 10 million times from the Google Play store, but the vulnerability only impacted a small percentage of customers. According to the data breach summary on the Department of Health and Human Services’ Office for Civil Rights breach portal, 6,681 individuals were impacted by the breach. It is not known how many personal messages were accessed by other customers as a result of the mistake.

Walgreens will be carrying out more tests of the mobile app in the future before any updated versions are made available to ensure updates do not affect the privacy of its customers.

Author: Security News