If you’ve received the Covid-1 test at Walgreens, your personal information আপনার including your name, date of birth, gender identity, phone number, address, and email-is open to anyone on the web to view and collect trackers on Walgreens’ site for multiple ads. In some cases, even the results of these tests can be collected from that data.
Data exposure potentially affects millions of people who use or continue to use Walgreen’s Covid-1 testing services during an epidemic.
Multiple security experts told Record that vulnerabilities found on the site were the main problem that the website of the largest pharmacy chain in the United States should have avoided. Walgreens has promoted itself as an “important partner in the test” and has been reimbursed for this test by company insurance companies and the government.
Alejandro Ruiz, a consultant at Interstitial Technology PBC, discovered the problems in March after a family member received the Covid-1 test. He said he contacted Walgreen via email, phone and website security forms. The agency was not responsive, he said, which did not surprise him.
“Any company that makes such a bug in an app that handles healthcare data doesn’t take security seriously,” Ruiz said.
Requid informed Walgreens about Ruiz’s results, which were confirmed by two other security experts. The record gave Walgreens time to fix the vulnerability before it was released, but Walgreens didn’t.
“We regularly review and increase additional security if deemed necessary or appropriate,” the company told Record.
Sensitive human data can be exposed to numerous ads and data companies for their own purposes, or they may be discouraged from testing the Covid-1 test from Walgreens if they are not confident that their data will be protected. The vulnerabilities of the platform are also another example of how technology was meant to assist in efforts to stop the epidemic or was created too quickly and carelessly to fully consider privacy and security.
Walgreens would also not say how long his test registration platform has had these vulnerabilities. They go back at least until March, when Ruiz discovered them and probably much more than that. Walgreens has proposed Covid-1 tests from April 2020, and the Webback machine, which maintains an Internet archive, shows blank test confirmation data pages until July 2020, indicating that the problem is at least far away.
Problems Walgreen’s Covid-1 test is in the recruitment system, anyone who wants to take the test from Walgreens must use it. (Unless they buy an over-the-counter test). After the patient completes and submits the form, they are given a unique 32-digit ID number and an appointment request page is created, which has a unique ID at the URL.
Anyone who has a link to that page can view information on it; There is no need to prove they are logged in to the patient or account. The page has been active for at least six months, if not.
“The technological process that Walgreens used to protect sensitive human information was almost non-existent,” Jack Edwards, a privacy researcher and founder of the analytics firm Victory Medium, told Ricode.
The URLs for these pages are similar except for a unique patient ID called a “query string” – part of the URL that begins with a question mark. Since millions of tests have been run across more than 20,000,000 Walgreen testing sites using this registration system, there are probably millions of active IDs. An active ID can be guessed, or a designated hacker can create a bot that quickly generates a URL in the hopes of hitting an active page, security experts told Record, with the source of their biographical information they can hack their account on other sites. . But, no matter how many characters there are in the ID and therefore how many combinations there are, they said it would be impossible to find just one active page in this way – even beyond their millions. Of course, the impossible is not equal to the impossible.
Anyone with access to the browsing history can also view the page. This may include an employer who logs employees’ Internet activity, for example, or someone who has access to the browser history on a public or shared computer.
“Safety by ambiguity is a terrifying model for health records,” Shawn O’Brien, founder of Yale’s Privacy Lab, told Reikod.
What makes this potential leak significantly worse is how much data is stored on the website and who else can access it. Only the patient’s name, type of test, and time and location of the appointment are visible to the public, but much more behind-the-scenes, accessible through any browser.
As with the vaccine appointment, Walgreens needs a lot of personal information to register for a test: full name, date of birth, phone number, email address, mailing address and gender identity. And with a few clicks in a browser’s Developer Tools panel, anyone with access to a specific patient’s page can find this information.
Included is an “OrderID”, as well as the name of the lab being tested. At least one of Walgreens’ lab partners needs all the information they need to access the test results through the Covid-1 test results portal, even if a record reporter looked at it and found the results for the last 10 days.
Ruiz and other security experts have warned about the number of trackers on Riccard Walgreens’ confirmation page. They have identified the possibility that companies owned by these trackers – Adobe, Akamai, DotMy, Facebook, Google, InMoment, Monitor and their data-sharing partners – may receive patient IDs, which can be used to find out the URL of the appointment page. And access the information they have.
Yale’s O’Brien said, “The sheer number of third-party trackers associated with the application system is a problem, before you consider a sleepy setup.”
Analysis from privacy researcher Edwards found that several of those companies were receiving URIs or uniform resource identifiers from appointment pages. They can then be used to access patient data if the agency receiving them is so inclined. He said the leaks were similar to those he discovered in April 2020 on websites including Wish, Quibi and JetBlue – but “worse” because only email addresses were leaked.
“This is either an intentional advertising technology information flow, which would be really frustrating, or a huge mistake that puts a huge portion of Walgreen customers at risk of breaking the data supply discipline,” Edwards said.
Walgreens told Records that protecting his patients’ personal information was a “top priority”, but that the Covid-1 testing needed to balance data protection requirements with “making it as accessible as possible for those who want to test.”
“We continually evaluate our technology solutions to provide secure, secure and accessible digital services to our customers and patients,” Walgreens said.
“This is a clear example [of this type of vulnerability], But with coveted data and personally identifiable information, “Edwards said.” I’m shocked they’re denying this blatant violation. “
Information on millions of other potential patients, including data from Ruiz’s family members, remains today.
“This is another example of a large company that prioritizes its profits over our privacy,” he said.