Walgreens Reports Data Breach from Personal Mobile Messaging App Error

A report filed with California shows an internal error on the Walgreens messaging app exposed the personal messages stored on its database to be viewable by other customers.

Walgreens announced on Friday that it inadvertently exposed the personal messages stored on its messaging app due to an internal error.

On January 15, officials said they first discovered an error in the Walgreens personal secure messaging features and launched an investigation. They found a data compromise, which allowed personal messages stored on its database to be viewable by other customers.

Upon discovery, Walgreens temporarily disabled message viewing to prevent continued exposure and “implemented a technical correction that resolved the issue.” The investigation revealed that some health-related information was breached for a small percentage of its customers for nearly a week between January 9 and January 15, 2020.

The exposed data included customer names, prescription numbers and drug names, store numbers, and shipping addresses, where applicable. Financial data, bank account information, and Social Security numbers were not compromised during the incident.

“Walgreens promptly took steps to disable the message viewing feature within the Walgreens mobile app to prevent further disclosure until a permanent correction was implemented to resolve the issue,” officials explained. “Walgreens will conduct additional testing as appropriate for future changes to verify the change will not impact the privacy of customer data.”

It’s unclear how many individuals were impacted by the security incident. The Google Play Store shows over 10 million downloads of the app, and Walgreens is the second-largest US pharmacy chain. While the app is likely not covered by HIPAA, it does shed light on privacy concerns of third-party app use by consumers.

As the Department of Health and Human Services readies the finalized interoperability and information blocking rules, the privacy of third-party apps has remained a source of contention given the rules' heavily reliance upon third-party apps. HHS recently reminded healthcare organizations that third-party apps chosen by patients are often not subject to HIPAA regulation.

While a long list of security stakeholders have also stressed that there are serious privacy and security concerns posed by apps and EHR giant Epic recently began its own campaign arguing against the rules over privacy concerns, industry leaders have pointed out that only Congress can shore up these HIPAA gaps.

Several Senators and Congressmen have proposed several privacy-related bills focused around consumer privacy rights, but so far, the only conclusion is that any federal privacy legislation would have to be bipartisan.

For now, the data remains at risk. Several reports have shown health and mental health apps routinely share user data, while even the Centers for Medicare and Medicaid Services suffered its own app breach. The CMS Blue Button 2.0 API was taken offline after a coding error potentially exposed the protected health information of about 10,000 beneficiaries.

Next Steps

Dig Deeper on Health data threats