Patient Information Exposed Through Walgreens Covid-19 Test Registration System

The personal records of persons who got a COVID-19 test at a Walgreens pharmacy were exposed on the web as a result of vulnerabilities found in its COVID-19 test registration program.

It is at this time not clear how many people were affected, though they might well be in the millions given the number of COVID-19 tests Walgreens has done starting from April 2020. It is unknown when the website had the vulnerabilities, however, they go as far back to about March 2021 when Interstitial Technology PBC consultant Alejandro Ruiz identified them. He discover a security error when a family member had a COVID-19 test completed at Walgreens. Ruiz contacted Walgreens to notify them about the data exposure, yet stated the company did not respond.

Ruiz chatted with Recode concerning the matter. Two security experts affirmed the security vulnerabilities. Recode reported the concern to Walgreens, and the organization claimed they consistently examine and use extra security advancements when thought either required or appropriate. Nonetheless, until September 13, 2021, the vulnerabilities were not yet dealt with.

Recode states that utilizing the Wayback Machine, which includes an archive of the online world, blank test confirmations dated July 2020 could be looked at, showing the vulnerabilities were there since then.

As per the security professionals, the vulnerabilities were due to the basic flaws in the Walgreens’ Covid-19 test booking registration system. As soon as a patient accomplishes an online form, they are given a 32-digit ID number along with the creation of an appointment request form, which has the unique 32-digit ID number in the web address. Any person who has that web address will be able to access the form. No authentication is required to view the page.

The pages merely include a patient’s name, type of test, appointment time, and location in the accessible section, nevertheless, with the developer tools panel of a web browser, other information may be viewed, which include birth date, address, email address, telephone number, and gender information. Given that the OrderID and the name of the laboratory that carried out the test are likewise enclosed in the data, it can be possible to see the test result data, at least at Walgreens’ laboratory partners’ test result websites.

An active page can be read by an unauthorized man or woman when making use of a computer of a person who had scheduled a test by means of their Web history. A company, for example, may check the data when the page was utilized on a work computer. The details would additionally be accessible to the third-party ad trackers found on the Walgreens booking verification pages. Researchers observed that the confirmation pages got ad trackers from Facebook Adobe, Akami, Google Dotomi, InMoment, and Monetate, all of which can likely access private details.

The web addresses of all confirmation pages are identical apart from the unique 32-digit code included in a “query string”. The researchers stated there are possibly millions of active appointment confirmation pages since Walgreens is performing COVID-19 tests at close to 6,000 online sites all over the United States for about 18 months.

The researchers indicated a hacker may develop a bot to produce 32-digit ID numbers, add them to URLs, and then indicate active pages. Even if the number of digits in the URL will be a lengthy task, it’s not impossible.

Ruiz mentioned to Recode that any firm that made such standard errors in an application that deals with health care information are one that doesn’t consider security very seriously. It’s only yet another example of a huge company that prioritizes its revenue over data protection.

Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.