Application Security & Online Fraud , Breach Notification , Incident & Breach Response
Walgreens Mobile App Exposed Health-Related Messages
For Six Days, App May Have Shown Private Messages to Other UsersThe mobile app of U.S. pharmaceutical retailer Walgreens inadvertently disclosed personal messages to other customers due to an internal application error, revealing some health-related information.
See Also: The Threat Landscape Evolves Rapidly, So Should Your Security Testing
Walgreens filed a copy of the data breach notification it has sent to affected customers with California’s Office of the Attorney General, which makes those notifications public. The notification was published on Friday.
“As part of our investigation, Walgreens determined that certain messages containing limited health-related information were involved in this incident for a small percentage of impacted customers,” according to the notice.
California law requires that organizations to notify those affected if an incident exposes unencrypted personal data to unauthorized people. If an incident affects more than 500 California residents, the state publishes the data breach notice set to those affected.
It’s unclear how many people have been affected nationwide. Efforts to reach Walgreens were unsuccessful.
As of Monday, the Walgreens incident was not posted on the U.S. of Department of Health and Human Service's HIPAA Breach Reporting Tool website, which lists health data breaches impacting 500 or more individuals.
‘Internal Application Error’
Walgreens discovered an error within the app’s personal secure messaging feature on Jan. 15.
“Our investigation determined that an internal application error allowed certain personal messages from Walgreens that are stored in a database to be viewable by other customers using the Walgreens mobile app,” the company says.
“Once we learned of the incident, Walgreens promptly took steps to temporarily disable message viewing to prevent further disclosure and then implemented a technical correction that resolved the issue.”
The exposure occurred between Jan. 9 and Jan. 15. The data may have included first and last names, prescription numbers and drug names, store numbers and shipping addresses, Walgreens says.
“Walgreens will conduct additional testing as appropriate for future changes to verify the change will not impact the privacy of customer data,” the company says.
What to Do
Walgreens didn’t release much technical information about the bug, making it difficult to ascertain the risk. But there doesn’t appear to be any need to take action.
The company says it “recommends customers monitor their prescription and medical records.”
And although no financial information was involved, the company provided information for how to obtain a free credit report. The credit report, however, would only show requests by creditors for financial records held by companies such as Equifax and Experian. Credit records can indicate attempts of possible fraud.