Application Security , Breach Notification , Incident & Breach Response

Walgreens Mobile App Exposed Health-Related Messages

For Six Days, App May Have Shown Private Messages to Other Users
Walgreens Mobile App Exposed Health-Related Messages

The mobile app of U.S. pharmaceutical retailer Walgreens inadvertently disclosed personal messages to other customers due to an internal application error, revealing some health-related information.

See Also: The Future of OT Cyber-Attacks

Walgreens filed a copy of the data breach notification it has sent to affected customers with California's Office of the Attorney General, which makes those notifications public. The notification was published on Friday.

"As part of our investigation, Walgreens determined that certain messages containing limited health-related information were involved in this incident for a small percentage of impacted customers," according to the notice.

California law requires that organizations to notify those affected if an incident exposes unencrypted personal data to unauthorized people. If an incident affects more than 500 California residents, the state publishes the data breach notice set to those affected.

It's unclear how many people have been affected nationwide. Efforts to reach Walgreens were unsuccessful.

As of Monday, the Walgreens incident was not posted on the U.S. of Department of Health and Human Service's HIPAA Breach Reporting Tool website, which lists health data breaches impacting 500 or more individuals.

'Internal Application Error'

Walgreens discovered an error within the app's personal secure messaging feature on Jan. 15.

"Our investigation determined that an internal application error allowed certain personal messages from Walgreens that are stored in a database to be viewable by other customers using the Walgreens mobile app," the company says.

"Once we learned of the incident, Walgreens promptly took steps to temporarily disable message viewing to prevent further disclosure and then implemented a technical correction that resolved the issue."

Walgreens' mobile app (Photo: Walgreens)

The exposure occurred between Jan. 9 and Jan. 15. The data may have included first and last names, prescription numbers and drug names, store numbers and shipping addresses, Walgreens says.

"Walgreens will conduct additional testing as appropriate for future changes to verify the change will not impact the privacy of customer data," the company says.

What to Do

Walgreens didn't release much technical information about the bug, making it difficult to ascertain the risk. But there doesn't appear to be any need to take action.

The company says it "recommends customers monitor their prescription and medical records."

And although no financial information was involved, the company provided information for how to obtain a free credit report. The credit report, however, would only show requests by creditors for financial records held by companies such as Equifax and Experian. Credit records can indicate attempts of possible fraud.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.