Vulnerability in Walgreens Mobile App Secure Messaging Feature Made PHI Accessible

By Maria Perez

Walgreens has started contacting customers to make them aware that a portion of their protected health information may have been accessed by unauthorized individual due to an error in the personal secure messaging feature of the Walgreens mobile app.

The secure messaging app includes a feature that allows registered customers to manage and receive SMS prescription refill notifications and deals and coupons. A vulnerability in the app was discovered that permitted  specific information in its database to be viewed by other people.

Impacted customers have been warned that one or more personal messages may have been seen by other people between January 9, 2020 and January 15, 2020. The personal messages included patients’ names, drug name and prescription number, store number, and shipping address. Walgreens has disclosed that health-related information was only accessible for a small percentage of its customers. The messages did not include any Social Security numbers or financial data.

According to a breach notice published on the California Attorney General’s website on Friday, the error was discovered by Walgreens on January 15, 2020. Walgreens quickly turned off message viewing to prevent any further unauthorized disclosures while the incident was investigated. Walgreens found that an internal application error was to blame and a technical correction was made to address the issue.

The Walgreens mobile app has been downloaded more than 10 million times from the Google Play store, but the vulnerability only impacted a small percentage of customers. According to the data breach summary on the Department of Health and Human Services’ Office for Civil Rights breach portal, 6,681 individuals were impacted by the breach. It is not known how many personal messages were accessed by other customers as a result of the mistake.

Walgreens will be carrying out more tests of the mobile app in the future to ensure any errors are corrected before release.

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Maria Perez