Walgreens’ Covid-19 test registration system exposed patient data - Vox

How Walgreens’ sloppy Covid-19 test registration system exposed patient data
Millions of people got Covid-19 tests through Walgreens. Their information wasn’t adequately protected.

By Sara Morrison Updated Sep 20, 2021, 5:50pm EDT
Share this story
Share this on Facebook (opens in new window)
Share this on Twitter (opens in new window)
SHARE
All sharing options
Support from readers like you helps keep this article free. Help us hit our goal of adding 4,500 contributions by the end of September by giving today.
Update, September 20: Several days after this story published, and after denying that its original page set-up was insecure, Walgreens added an authentication screen to its Covid-19 test confirmation pages, making it more difficult for bad actors to access the information. With the new authentication screen, anyone who wants to access the test confirmation pages must now enter the patient’s date of birth first. Multiple ad trackers are still present on the patient pages.

Alejandro Ruiz, a consultant with Interstitial Technology PBC who first discovered the potential data leak, told Recode that he didn’t think Walgreens’ fix was good enough. Ruiz said he would prefer a more secure verification method, like a password, and noted that the application programming interface (API), which allows Walgreens and its advertisers to communicate with each other and exchange data, remains active.

Walgreens told Recode that it added “an additional layer” to the site out of an abundance of caution, adding that it was not aware of any credible evidence of unauthorized access to patient data.

“Protecting personal information of our customers and patients is always one of our highest priorities, which we take very seriously,” the company said.

If you got a Covid-19 test at Walgreens, your personal data — including your name, date of birth, gender identity, phone number, address, and email — was left on the open web for potentially anyone to see and for the multiple ad trackers on Walgreens’ site to collect. In some cases, even the results of these tests could be gleaned from that data.

The data exposure potentially affects millions of people who used — or continue to use — Walgreens’ Covid-19 testing services over the course of the pandemic.

Multiple security experts told Recode that the vulnerabilities found on the site are basic issues that the website of one of the largest pharmacy chains in the United States should have known to avoid. Walgreens has promoted itself as a “vital partner in testing,” and the company is reimbursed for those tests by insurance companies and the government.

Alejandro Ruiz, a consultant with Interstitial Technology PBC, discovered the issues in March after a family member got a Covid-19 test. He says he contacted Walgreens over email, phone, and through the website’s security form. The company was not responsive, he says, which didn’t surprise him.

“Any company that made such basic errors in an app that handles health care data is one that does not take security seriously,” Ruiz said.

Recode informed Walgreens of Ruiz’s findings, which were confirmed by two other security experts. Recode gave Walgreens time to fix the vulnerabilities before publishing, but Walgreens did not do so.

“We regularly review and incorporate additional security enhancements when deemed either necessary or appropriate,” the company told Recode.

People’s sensitive data could be exposed to numerous ad and data companies to use for their own purposes, or they may be discouraged from getting a Covid-19 test from Walgreens if they aren’t confident that their data will be secure. The platform’s vulnerabilities are also another example of how technology meant to assist in the effort to stop the pandemic was built or implemented too quickly and carelessly to fully take privacy and security into account.

Walgreens also wouldn’t say how long its testing registration platform has had these vulnerabilities. They go back at least as far as March, when Ruiz discovered them, and likely far longer than that. Walgreens has offered Covid-19 tests since April 2020, and the Wayback Machine, which keeps archives of the internet, shows blank test confirmation data pages as far back as July 2020, indicating that the issue dates back at least that far.

The problems are in Walgreens’ Covid-19 test appointment registration system, which anyone who wants to get a test from Walgreens must use (unless they purchase an over-the-counter test). After the patient fills out and submits the form, a unique 32-digit ID number is assigned to them and an appointment request page is created, which has the unique ID in the URL.