Walgreens’ COVID-19 Testing Registration System Exposes PII

September 15, 2021 - Millions who got COVID-19 tests at Walgreens may find that their personally identifiable information (PII) was left open on the internet for all to see, thanks to a cyber vulnerability found by independent researchers, Vox publication Recode reported.

The vulnerability remained unresolved as of September 13, despite Recode notifying Walgreens of the vulnerability and giving them a chance to fix the cybersecurity issues before publishing.

“We regularly review and incorporate additional security enhancements when deemed either necessary or appropriate,” Walgreens told the publication.

Alejandro Ruiz, a consultant at Interstitial Technology PBC, discovered the vulnerabilities in March when a family member got tested for COVID-19. Ruiz contacted Walgreens through its security form, phone, and email, but did not receive a reply.

When a patient submits an appointment request, they receive a 32-digit identification number and a unique URL for each request. Ruiz found that the URL was accessible to anyone with access to the link. There is no need to log in or authenticate any information.

The exposed PII included birthdates, names, gender identity, phone numbers, addresses, emails, and in some cases, test results.

“Any company that made such basic errors in an app that handles health care data is one that does not take security seriously,” Ruiz told Recode.

Two other cybersecurity experts confirmed the findings. Bad actors can potentially obtain the information, and ad trackers can collect the data.

It is unclear how long the vulnerability has been exposed, but researchers estimate that PII was in jeopardy at least as far back as July 2020.

Anyone who has access to an individual’s browsing history can see the page, including employers or those accessing the portal on a public computer.

Researchers also expressed concern over the number of third-party ad trackers on Walgreen’s appointment confirmation pages. Adobe, Dotomi, Facebook, Google, Akami, Monetate, and InMoment all had placed ad trackers on the pages and could potentially access private information.

Walgreens did not elaborate on whether they planned to fix the vulnerability. When asked about the ad trackers, Walgreens told Recode that its privacy policy explicitly explains its use of cookies. But researchers found that tracking through cookies was not the issue, and Walgreens failed to explain further.

“It’s just another example of a large company that prioritizes its profits over our privacy,” Ruiz remarked.

The incident is especially troubling to researchers who remain wary of how fast COVID-19 testing and vaccination portals were created. In the middle of a public health emergency, cybersecurity may have been overlooked in some cases, resulting in private patient data being readily available to bad actors.

Walgreens found itself as the subject of another investigation recently when Indianapolis news station WTHR discovered that HHS’ Office for Civil Rights (OCR) failed to realize that its investigation into a 2006 Walgreens HIPAA violation remained an open case over 10 years later.

CVS, Rite Aid, and Walgreens were all found to be exposing protected health information (PHI) by improperly disposing of medical records in unsecured dumpsters. CVS and Rite Aid paid a combined $3.25 million in fines, but Walgreens paid nothing.

After the news outlet pointed out to OCR that the case was still open in 2016, OCR abruptly closed the case and said that Walgreens had taken voluntary compliance actions. The investigation revealed inconsistencies with HIPAA enforcement, and Walgreens walked away unscathed.