Walgreens’ Covid-19 test recording system exposed patient data

Update, September 20: Several days after this story was published, and after denying that its original page setup was not secure, Walgreens added an authentication screen to its Covid-19 test confirmation pages, making it more difficult access to information for bad actors. With the new authentication screen, anyone wishing to access the test confirmation pages must now enter the patient’s date of birth first. Several advertising trackers are still present on patient pages.

Alejandro Ruiz, a consultant at Interstitial Technology PBC who first discovered the potential data leak, told Recode that he didn’t think Walgreens’ patch was good enough. Ruiz said he would prefer a more secure method of verification, such as a password, and noted that the application programming interface (API), which allows Walgreens and its advertisers to communicate with each other and d ‘exchange data, remains active.

Walgreens told Recode it had added “an extra layer” to the site out of caution, adding that it was not aware of any credible evidence of unauthorized access to patient data.

“Protecting the personal information of our customers and patients is always one of our highest priorities, which we take very seriously,” the company said.

If you’ve been tested for Covid-19 at Walgreens, your personal details – including your name, date of birth, gender identity, phone number, address, and email – have been left on the web open for anyone to see. see them and for multiple advertising trackers on the Walgreens site to collect. In some cases, even the results of these tests could be gleaned from this data.

Data exposure potentially affects millions of people who have used – or continue to use – Walgreens’ Covid-19 testing services during the pandemic.

Several security experts told Recode that the vulnerabilities found on the site are fundamental problems that the website of one of the largest drugstore chains in the United States should have known how to avoid. Walgreens has touted itself as an “essential partner in testing,” and the company is reimbursed for these tests by insurance companies and the government.

Alejandro Ruiz, a consultant at Interstitial Technology PBC, discovered the problems in March after a family member was tested for Covid-19. He says he contacted Walgreens via email, phone, and the website’s security form. The company was not responsive, he said, which did not surprise him.

“Any business that has made such fundamental mistakes in an application that handles health data is a business that doesn’t take security seriously,” Ruiz said.

Recode informed Walgreens of Ruiz’s findings, which were confirmed by two other security experts. Recode gave Walgreens time to patch the vulnerabilities before releasing, but Walgreens did not.

“We regularly review and incorporate additional security enhancements when deemed necessary or appropriate,” the company told Recode.

People’s sensitive data may be exposed to many advertising and data companies to use for their own purposes, or they may be discouraged from taking a Walgreens Covid-19 test if they are not confident their data will be secure. Platform vulnerabilities are also another example of how technology intended to help stop the pandemic has been built or implemented too quickly and carelessly to fully consider privacy and security.

Walgreens also wouldn’t say how long its test recording platform has had these vulnerabilities. They date back to at least March, when Ruiz discovered them, and probably much longer than that. Walgreens has been offering Covid-19 testing since April 2020, and the Wayback Machine, which maintains internet records, is showing blank test confirmation data pages as early as July 2020, indicating that the problem dates back to at least that date.

The problems lie with Walgreens’ Covid-19 test appointment recording system, which anyone wishing to take a Walgreens test should use (unless they buy an over-the-counter test). After the patient has completed and submitted the form, they are assigned a unique 32-digit ID number and an appointment request page is created, which has the unique ID in the URL.

The page created after registering a patient for a Covid-19 test (Patient ID in URL has been blurred).

Anyone with a link to this page can see the information there; it is not necessary to authenticate that this is the patient or to log into an account. The page remains active for at least six months, if not longer.

“The technical process Walgreens deployed to protect people’s sensitive information was almost non-existent,” Zach Edwards, privacy researcher and founder of analytics firm Victory Medium, told Recode.

The URLs for these pages are the same, except for a unique patient ID contained in what is called a “query string” – the part of the URL that begins with a question mark. As millions of tests at over 6,000 Walgreens test sites have been performed using this recording system, there are likely millions of active IDs. An active ID could be guessed, or a determined hacker could create a bot that quickly generated URLs in hopes of reaching all active pages, security experts told Recode, giving them a source for biographical data on the people they could potentially use to hack their accounts. on other sites. But, given the number of characters in the IDs and therefore the number of combinations, they said it would be nearly impossible to find a single active page this way, even with millions of them. Of course, almost impossible is not the same as impossible.

Anyone with access to someone’s browsing history can also view the page. This could include an employer who logs employees’ internet activities, for example, or someone who accesses browser history on a public or shared computer.

“Security through obscurity is a terrible model for health records,” Sean O’Brien, founder of the Yale Privacy Lab, told Recode.

What greatly compounds this potential leak is the amount of data stored on the website and who else might have access to it. Only the patient’s name, type of test, time and location of the appointment are visible on the public pages themselves, but much more than that is behind the scenes, accessible through any browser.

As with immunization appointments, Walgreens needs a lot of personal data to register for any of its tests: full name, date of birth, phone number, email address, mailing address, and gender identity. . And with just a few clicks in a browser’s developer tools panel, anyone with access to a specific patient’s page can find this information.

Walgreens confirmation pages contain a lot of sensitive (unclear) personal information.

Walgreens confirmation pages contain a lot of sensitive (unclear) personal information.

An “orderId” and the name of the laboratory that performed the test are included. This is all the information someone would need to access test results through at least one of Walgreens’ lab partner’s Covid-19 test results portals, although only results from the past 30 days are available. available when a Recode reporter has consulted theirs.

Ruiz and the other security experts Recode spoke to were also alarmed at the number of trackers Walgreens has placed on its confirmation pages. They have flagged the possibility that companies that own these trackers – including Adobe, Akami, Dotomi, Facebook, Google, InMoment, Monetate, as well as one of their data sharing partners – could ingest patient IDs, which could be used to discover the URLs of the appointment pages and access the information they contain.

“The sheer number of third-party trackers attached to the dating system is an issue, before considering the sloppy setup,” said O’Brien of Yale.

Analysis by Edwards, the privacy researcher, found that several of these companies were obtaining URIs, or Uniform Resource Identifiers, from the appointment pages. These could then be used to access patient data if the receiving company so wished. He said this type of leak is similar to what he discovered on websites such as Wish, Quibi and JetBlue in April 2020 – but “much worse”, as only email addresses were leaked in these. case.

“This is either a targeted advertising data stream, which would be really disappointing, or a colossal error that exposes a large portion of Walgreens customers to data supply chain breaches,” he said. Edwards said.

Walgreens told Recode it was a “top priority” to protect the personal information of its patients, but it also had to balance the need to secure the information and make Covid-19 tests “as accessible. as possible for people looking for a test “.

“We are continually evaluating our technology solutions to provide safe, secure and accessible digital services to our customers and patients,” said Walgreens.

Again, Walgreens didn’t fix the issues until after the extended deadline Recode provided the company, nor did it tell Recode if it planned to do so. It did not respond to Recode’s questions about ad trackers except to say that its use of cookies is explained in its privacy policy. However, tracking through cookies was not the issue that Recode and Ruiz identified at Walgreens, and the company did not comment further when explained to it.

“This is a clear example [of this type of vulnerability], but with Covid data and tons of personally identifiable information, ”Edwards said. “I am shocked that they are refuting this blatant violation.”

Data from Ruiz’s family member, along with potentially millions of other patients, remains in place today.

“This is just another example of a large corporation prioritizing its profits over our privacy,” he said.

Source link

Comments are closed.