Pharmacy store chain operator Walgreens notified some of its customers of a data security incident involving its mobile app.
According to a sample notification letter sent to Office of the Attorney General of California, Walgreens detected an error involving its app's secure personal messaging feature on January 15, 2020. The pharmacy store chain operator subsequently launched an investigation to determine what happened. This effort revealed that a flaw had allowed some customers' messages exchanged through the app to be viewable to other customers between January 9, 2020 and January 15, 2020. Walgreen's investigation found that the messages might have contained affected customers' full names, shipping addresses and some limited protected health information (PHI.) Specifically, the incident might have exposed the prescription numbers and drug names of affected individuals' active prescriptions, not to mention the numbers of the stores at which they shopped. The investigation found no evidence of the incident having exposed customers' bank account information or their Social Security Numbers. In its sample notification letter, Walgreens said it acted quickly to respond to the incident:
Walgreens promptly took steps to disable the message viewing feature within the Walgreens mobile app to prevent further disclosure until a permanent correction was implemented to resolve the issue. Walgreens will conduct additional testing as appropriate for future changes to verify the change will not impact the privacy of customer data.
While it works to further improve its security, Walgreens urged affected customers to monitor their prescription and medical records. It also said that these individuals should take the additional precaution of monitoring their financial accounts for any signs of suspicious activity. If they detect anything out of place, they should consider contacting their financial institution immediately and requesting another payment card if the anomalous activity involves their existing card. Affected customers can further protect themselves against identity thieves by following these guidelines.