Flaw in Walgreens Mobile App Secure Messaging Feature Exposed PHI

Share this article on:

Walgreens has started notifying customers that some of their protected health information may have been accessed by other individuals as a result of an error in the personal secure messaging feature of the Walgreens mobile app.

The secure messaging feature allows registered customers to receive SMS prescription refill notifications and deals and coupons. An undisclosed error in the app was identified that allowed certain information in its database to be viewed by other customers.

Affected customers have been advised that one or more personal messages may have been viewed by other individuals between January 9, 2020 and January 15, 2020. The personal messages included patients’ first and last names, drug name and prescription number, store number, and shipping address. Walgreens said health-related information was only exposed for a limited number of affected customers. The messages did not include any Social Security numbers or financial information.

According to a breach notice submitted to the California Attorney General on Friday, the error was detected by Walgreens on January 15, 2020. Walgreens immediately disabled message viewing to prevent any further unauthorized disclosures while the incident was investigated. Walgreens determined an internal application error was to blame and a technical correction was implemented to resolve the issue.

The Walgreens mobile app has been downloaded more than 10 million times from the Google Play store, but the error only impacted a small percentage of customers. According to the data breach summary on the Department of Health and Human Services’ Office for Civil Rights breach portal, 6,681 individuals were affected by the breach. It is unclear how many personal messages were accessed by other customers as a result of the error.

Walgreens will be conducting additional tests of the mobile app in the future before any updated versions are released to ensure updates do not impact the privacy of its customers.

Author: HIPAA Journal

Share This Post On