Originally posted at Vice by Sara Morrison

If you got a Covid-19 test at Walgreens, your personal data — including your name, date of birth, gender identity, phone number, address, and email — was left on the open web for potentially anyone to see and for the multiple ad trackers on Walgreens’ site to collect. In some cases, even the results of these tests could be gleaned from that data.

The data exposure potentially affects millions of people who used — or continue to use — Walgreens’ Covid-19 testing services over the course of the pandemic.

Multiple security experts told Recode that the vulnerabilities found on the site are basic issues that the website of one of the largest pharmacy chains in the United States should have known to avoid. Walgreens has promoted itself as a “vital partner in testing,” and the company is reimbursed for those tests by insurance companies and the government.

Alejandro Ruiz, a consultant with Interstitial Technology PBC, discovered the issues in March after a family member got a Covid-19 test. He says he contacted Walgreens over email, phone, and through the website’s security form. The company was not responsive, he says, which didn’t surprise him.

“Any company that made such basic errors in an app that handles health care data is one that does not take security seriously,” Ruiz said.

Recode informed Walgreens of Ruiz’s findings, which were confirmed by two other security experts. Recode gave Walgreens time to fix the vulnerabilities before publishing, but Walgreens did not do so…

Read more at Vice

Download PDF here