Application Security & Online Fraud , Breach Notification , Incident & Breach Response

Walgreens Mobile App Exposed Health-Related Messages

For Six Days, App May Have Shown Private Messages to Other Users
Walgreens Mobile App Exposed Health-Related Messages

The mobile app of U.S. pharmaceutical retailer Walgreens inadvertently disclosed personal messages to other customers due to an internal application error, revealing some health-related information.

See Also: The Threat Landscape Evolves Rapidly, So Should Your Security Testing

Walgreens filed a copy of the data breach notification it has sent to affected customers with California’s Office of the Attorney General, which makes those notifications public. The notification was published on Friday.

“As part of our investigation, Walgreens determined that certain messages containing limited health-related information were involved in this incident for a small percentage of impacted customers,” according to the notice.

California law requires that organizations to notify those affected if an incident exposes unencrypted personal data to unauthorized people. If an incident affects more than 500 California residents, the state publishes the data breach notice set to those affected.

It’s unclear how many people have been affected nationwide. Efforts to reach Walgreens were unsuccessful.

As of Monday, the Walgreens incident was not posted on the U.S. of Department of Health and Human Service's HIPAA Breach Reporting Tool website, which lists health data breaches impacting 500 or more individuals.

‘Internal Application Error’

Walgreens discovered an error within the app’s personal secure messaging feature on Jan. 15.

“Our investigation determined that an internal application error allowed certain personal messages from Walgreens that are stored in a database to be viewable by other customers using the Walgreens mobile app,” the company says.

“Once we learned of the incident, Walgreens promptly took steps to temporarily disable message viewing to prevent further disclosure and then implemented a technical correction that resolved the issue.”

Walgreens' mobile app (Photo: Walgreens)

The exposure occurred between Jan. 9 and Jan. 15. The data may have included first and last names, prescription numbers and drug names, store numbers and shipping addresses, Walgreens says.

“Walgreens will conduct additional testing as appropriate for future changes to verify the change will not impact the privacy of customer data,” the company says.

What to Do

Walgreens didn’t release much technical information about the bug, making it difficult to ascertain the risk. But there doesn’t appear to be any need to take action.

The company says it “recommends customers monitor their prescription and medical records.”

And although no financial information was involved, the company provided information for how to obtain a free credit report. The credit report, however, would only show requests by creditors for financial records held by companies such as Equifax and Experian. Credit records can indicate attempts of possible fraud.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.