Patient Data Compromised Via Walgreens’ Covid-19 Test Registration System

The personal information of people who had taken a COVID-19 test at a Walgreens pharmacy was exposed online because of vulnerabilities found in its COVID-19 test registration system.

It is presently uncertain how many persons were impacted, even though they may well be in the millions considering the number of COVID-19 testing Walgreens has done beginning April 2020. It is uncertain when the site got the vulnerabilities, however, they date back to at least March 2021 when Interstitial Technology PBC consultant Alejandro Ruiz identified them. He found a security problem when a relative had a COVID-19 test completed at Walgreens. Ruiz got in touch with Walgreens to advise them concerning the data exposure, however, said the firm had no response.

Ruiz talked to Recode regarding the problem. Two security specialists affirmed the security vulnerabilities. Recode mentioned the problem to Walgreens, and the organization stated they routinely evaluate and integrate more security improvements when considered either needed or appropriate. Nevertheless, till September 13, 2021, the vulnerabilities were not yet resolved.

Recode says that utilizing the Wayback Machine, which consists of an archive of the Web, blank test confirmations dating back to July 2020 may be viewed, suggesting the vulnerabilities were existing since that time.

Based on the security experts, the vulnerabilities were caused by the basic mistakes in the Walgreens’ Covid-19 test scheduling registration system. After a patient fills up an online form, they are provided a 32-digit ID number as well as the generation of an appointment request form, which includes the unique 32-digit ID number in the web link. Anybody who has that link will be able to access the form. No authentication is necessary to access the page.

The pages simply consist of a patient’s name, type of test, booking schedule and location in the seen part, however by means of the developer tools screen of an internet browser, other data can be accessed, such as date of birth, address, email address, phone number, and gender identity. Considering that the OrderID and the name of the facility that conducted the test are also contained in the information, it is possible to view the test result, at least at one of Walgreens’ lab partners’ test result sites.

An active page may be seen by an unauthorized person if making use of a computer of somebody who had set a test through their Internet history. An employer, for instance, can see the data in case the page was used on a work computer. The information would likewise be viewable to the third-party ad trackers existing on the Walgreens appointment confirmation pages. Researchers take note that the confirmation pages include ad trackers from Adobe, Facebook, Akami, Dotomi, Google, Monetate, and InMoment, all of which may possibly access private details.

The links of all confirmation pages are similar besides the unique 32-digit code contained in a “query string”. The researchers stated there are probably millions of active booking confirmation pages since Walgreens has been doing COVID-19 tests at about 6,000 websites throughout the United States for nearly 18 months.

The researchers mentioned a hacker can make a bot crank out 32-digit identification numbers, add them to web links, and then identify active pages. Thinking about the number of digits in the link would be a lengthy task, although it is not impossible.

Any firm that made such simple errors in an app that manages health care data is one that does not think about security seriously, mentioned Ruiz to Recode. It’s simply one more example of a big company that prioritizes its income over data privacy.