HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Flaw in Walgreens Mobile App Secure Messaging Feature Exposed PHI

Walgreens has started notifying customers that some of their protected health information may have been accessed by other individuals as a result of an error in the personal secure messaging feature of the Walgreens mobile app.

The secure messaging feature allows registered customers to receive SMS prescription refill notifications and deals and coupons. An undisclosed error in the app was identified that allowed certain information in its database to be viewed by other customers.

Affected customers have been advised that one or more personal messages may have been viewed by other individuals between January 9, 2020 and January 15, 2020. The personal messages included patients’ first and last names, drug name and prescription number, store number, and shipping address. Walgreens said health-related information was only exposed for a limited number of affected customers. The messages did not include any Social Security numbers or financial information.

According to a breach notice submitted to the California Attorney General on Friday, the error was detected by Walgreens on January 15, 2020. Walgreens immediately disabled message viewing to prevent any further unauthorized disclosures while the incident was investigated. Walgreens determined an internal application error was to blame and a technical correction was implemented to resolve the issue.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The Walgreens mobile app has been downloaded more than 10 million times from the Google Play store, but the error only impacted a small percentage of customers. According to the data breach summary on the Department of Health and Human Services’ Office for Civil Rights breach portal, 6,681 individuals were affected by the breach. It is unclear how many personal messages were accessed by other customers as a result of the error.

Walgreens will be conducting additional tests of the mobile app in the future before any updated versions are released to ensure updates do not impact the privacy of its customers.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.