Update, September 20: Several days after this story revealed, and after denying that its unique web page set-up was insecure, Walgreens added an authentication display to its Covid-19 check affirmation pages, making it harder for unhealthy actors to entry the knowledge. With the brand new authentication display, anybody who needs to entry the check affirmation pages should now enter the affected person’s date of delivery first. Multiple advert trackers are nonetheless current on the affected person pages.
Alejandro Ruiz, a guide with Interstitial Technology PBC who first found the potential knowledge leak, instructed Recode that he didn’t assume Walgreens’ repair was ok. Ruiz stated he would favor a safer verification technique, like a password, and famous that the applying programming interface (API), which permits Walgreens and its advertisers to speak with one another and alternate knowledge, stays energetic.
Walgreens instructed Recode that it added “an additional layer” to the location out of an abundance of warning, including that it was not conscious of any credible proof of unauthorized entry to affected person knowledge.
“Protecting personal information of our customers and patients is always one of our highest priorities, which we take very seriously,” the corporate stated.
If you bought a Covid-19 check at Walgreens, your private knowledge — together with your identify, date of delivery, gender id, cellphone quantity, deal with, and e mail — was left on the open net for probably anybody to see and for the a number of advert trackers on Walgreens’ web site to gather. In some circumstances, even the outcomes of those exams could possibly be gleaned from that knowledge.
The knowledge publicity probably impacts tens of millions of people that used — or proceed to make use of — Walgreens’ Covid-19 testing companies over the course of the pandemic.
Multiple safety specialists instructed Recode that the vulnerabilities discovered on the location are primary points that the web site of one of many largest pharmacy chains within the United States ought to have known to avoid. Walgreens has promoted itself as a “vital partner in testing,” and the corporate is reimbursed for these exams by insurance coverage corporations and the federal government.
Alejandro Ruiz, a guide with Interstitial Technology PBC, found the problems in March after a member of the family obtained a Covid-19 check. He says he contacted Walgreens over e mail, cellphone, and thru the web site’s security form. The firm was not responsive, he says, which didn’t shock him.
“Any company that made such basic errors in an app that handles health care data is one that does not take security seriously,” Ruiz stated.
Recode knowledgeable Walgreens of Ruiz’s findings, which had been confirmed by two different safety specialists. Recode gave Walgreens time to repair the vulnerabilities earlier than publishing, however Walgreens didn’t achieve this.
“We regularly review and incorporate additional security enhancements when deemed either necessary or appropriate,” the corporate instructed Recode.
People’s delicate knowledge could possibly be uncovered to quite a few advert and knowledge corporations to make use of for their very own functions, or they could be discouraged from getting a Covid-19 check from Walgreens in the event that they aren’t assured that their knowledge can be safe. The platform’s vulnerabilities are additionally another example of how expertise meant to help within the effort to cease the pandemic was constructed or carried out too shortly and carelessly to completely take privacy and security under consideration.
Walgreens additionally wouldn’t say how lengthy its testing registration platform has had these vulnerabilities. They return no less than so far as March, when Ruiz found them, and certain far longer than that. Walgreens has offered Covid-19 exams since April 2020, and the Wayback Machine, which retains archives of the web, shows clean check affirmation knowledge pages way back to July 2020, indicating that the problem dates again no less than that far.
The issues are in Walgreens’ Covid-19 check appointment registration system, which anybody who needs to get a check from Walgreens should use (except they buy an over-the-counter check). After the affected person fills out and submits the shape, a novel 32-digit ID quantity is assigned to them and an appointment request web page is created, which has the distinctive ID within the URL.
Anyone who has a hyperlink to that web page can see the knowledge on it; there’s no have to authenticate that they’re the affected person or log in to an account. The web page stays energetic for no less than six months, if no more.
“The technical process that Walgreens deployed to protect people’s sensitive information was nearly nonexistent,” Zach Edwards, privateness researcher and founding father of the analytics agency Victory Medium, instructed Recode.
The URLs for these pages are the identical aside from a novel affected person ID contained in what’s known as a “query string” — the a part of the URL that begins with a query mark. As tens of millions of exams throughout greater than 6,000 Walgreens testing websites had been run utilizing this registration system, there are seemingly tens of millions of energetic IDs on the market. An energetic ID could possibly be guessed, or a decided hacker might create a bot that quickly generated URLs within the hope of hitting any energetic pages, safety specialists instructed Recode, giving them a supply of biographical knowledge about folks they might potentially use to hack their accounts on different websites. But, given what number of characters are within the IDs and due to this fact what number of combos there are, they stated it’d be near unattainable to search out only one energetic web page this fashion — even with the tens of millions of them on the market. Of course, near unattainable isn’t the identical as unattainable.
Anyone who has entry to somebody’s shopping historical past may see the web page. That may embrace an employer that logs staff’ web actions, for instance, or somebody who accesses the browser historical past on a public or shared pc.
“Security by obscurity is an awful model for health records,” Sean O’Brien, the founding father of Yale’s Privacy Lab, instructed Recode.
What makes this potential leak considerably worse is simply how a lot knowledge is saved on the web site and who else could possibly be gaining access to it. Only the affected person’s identify, kind of check, and appointment time and placement are seen on the public-facing pages themselves, however excess of that’s behind the scenes, accessible by means of any browser.
As it did with vaccine appointments, Walgreens requires quite a lot of private knowledge to register for one in every of its exams: full identify, date of delivery, cellphone quantity, e mail deal with, mailing deal with, and gender id. And with a couple of clicks in a browser’s developer instruments panel, anybody with entry to a particular affected person’s web page can discover this data.
Included is an “orderId,” in addition to the identify of the lab that carried out the check. That’s all the knowledge somebody would wish to entry the check outcomes by means of no less than one in every of Walgreens’ lab companions’ Covid-19 check outcomes portals, although solely outcomes from the final 30 days had been accessible when a Recode reporter appeared hers up.
Ruiz and the opposite safety specialists Recode spoke to additionally expressed alarm on the variety of trackers Walgreens positioned on its affirmation pages. They flagged the likelihood that the businesses that personal these trackers — together with Adobe, Akami, Dotomi, Facebook, Google, InSecond, Monetate, in addition to any of their data-sharing companions — could possibly be ingesting the affected person IDs, which could possibly be used to determine the URLs of the appointment pages and entry the knowledge they maintain.
“Just the sheer number of third-party trackers attached to the appointment system is a problem, before you consider the sloppy setup,” Yale’s O’Brien stated.
Analysis from Edwards, the privateness researcher, discovered that a number of of these corporations had been getting URIs, or Uniform Resource Identifiers, from the appointment pages. Those might then be used to entry the affected person knowledge if the corporate receiving them had been so inclined. He stated one of these leak is just like what he discovered on web sites together with Wish, Quibi, and JetBlue in April 2020 — however “much worse,” as solely e mail addresses had been leaked in these circumstances.
“This is either a purposeful ad tech data flow, which would be truly disappointing, or a colossal mistake that has been putting a huge portion of Walgreens customers at risk of data supply chain breaches,” Edwards stated.
Walgreens instructed Recode that it was a “top priority” to guard its sufferers’ private data, however that it additionally needed to stability the necessity to safe data with making Covid-19 testing “as accessible as possible for individuals seeking a test.”
“We continually evaluate our technology solutions in order to provide safe, secure, and accessible digital services to our customers and patients,” Walgreens stated.
“This is a clear-cut example [of this type of vulnerability], but with Covid data and tons of personally identifiable information,” Edwards stated. “I’m shocked they are refuting this clear breach.”
Ruiz’s member of the family’s knowledge, together with that of probably tens of millions of different sufferers, stays up immediately.
“It’s just another example of a large company that prioritizes its profits over our privacy,” he stated.