[ad_1]
If you received a test for Covid-19 at Walgreens, your personal information — including your name, date of birth, gender identity, phone number, address, and email — was left open so everyone could see multiple ads. trackers on the Walgreens collection site. In some cases, even the results of these tests can be obtained from these data.
The exposure potentially affects millions of people who used — or continue to use — Walgreens’ Covid-19 testing services during the pandemic.
Numerous security experts told Recode that the vulnerabilities found on the site were major issues that the website of one of the largest pharmacy chains in the United States should have known it had to avoid. Walgreens has established itself as a “vital testing partner” and the company has been reimbursed for these tests by insurance companies and the government.
Alejandro Ruiz, a consultant with Interstitial Technology PBC, discovered the problems in March after a family member received a test for Covid-19. He says he contacted Walgreens by email, phone and through the website’s security form. The company did not respond, he said, which did not surprise him.
“Any company that has made such major mistakes in an application that processes healthcare data is one that doesn’t take security seriously,” Ruiz said.
Recode briefed Walgreens on Ruiz’s findings, which were confirmed by two other security experts. Recode gave Walgreens time to fix the vulnerabilities before publishing, but Walgreens did not.
“We regularly review and include additional security enhancements when we deem it necessary or appropriate,” the company told Recode.
Human sensitive data may be exposed to a variety of advertising and information companies for their own use, or they may be discouraged from receiving a Covid-19 test from Walgreens if they are unsure that their data will be protected. . The platform’s vulnerability is also another example of how technology designed to help stop a pandemic has been built or deployed too quickly and carelessly to take full account of confidentiality and security.
Walgreens also would not say how long its test registration platform has had these vulnerabilities. They return at least in March, when Ruiz finds them, and probably much longer than that. Walgreens offers tests for Covid-19 from April 2020, and Wayback Machine, which stores archives on the Internet, shows blank pages of test confirmation data as early as July 2020, indicating that the problem dates back at least that far.
The problems are in Walgreens’ Covid-19 test meeting registration system, which anyone who wants to get a test from Walgreens must use (unless you buy a test without a prescription). After the patient completes and submits the form, a unique 32-digit ID number is assigned to it and a meeting request page is created that has the unique ID in the URL.
Anyone who has a link to this page can see the information on it; you do not need to verify that they are the patient or log in to an account. The page remains active for at least six months, if not longer.
“The technical process that Walgreens implemented to protect people’s sensitive information was almost non-existent,” Zack Edwards, a privacy researcher and founder of the research firm Victory Medium, told Recode.
The URLs for these pages are the same, except for the unique patient identification number contained in the so-called “query string” – the part of the URL that begins with a question mark. Since millions of tests on more than 6,000 Walgreens test sites have been performed using this registration system, there are probably millions of active identification numbers. An active ID or a determined hacker could be expected to create a bot that quickly generates URLs in hopes of hitting all active pages, Recode security experts said, providing them with a source of biographical data on people they could potentially use. to hack their accounts on other sites. But given how many characters there are in ID numbers and therefore how many combinations there are, they said it would be almost impossible to find just one active page this way – even with millions of them. Of course, close to impossible is not the same as impossible.
Anyone who has access to someone’s browsing history can also see the page. This may include an employer who registers employees’ Internet activities, for example, or someone who accesses the browser history on a public or shared computer.
“Security through ambiguity is a terrible model for health records,” Sean O’Brien, the founder of Yale’s privacy lab, told Recode.
What significantly increases the potential leakage is how much data is stored on the website and who else could access it. Only the patient’s name, the type of test and the time and location of the appointment are visible on the public pages themselves, but much more than that is behind the scenes, accessible through any browser.
As with vaccine appointments, Walgreens requires a lot of personal information to register for one of its tests: full name, date of birth, phone number, email address, postal address and gender identity. And with a few clicks in the browser’s toolbar, anyone who has access to a particular patient’s page can find that information.
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/22848439/walgreens_json_2.jpg)
“OrderId” is included, as well as the name of the laboratory that performed the test. This is all the information someone will need to access test results through at least one of the Covid-19 test results portals from Walgreens Lab’s partners, although only results from the last 30 days have been available, when a Recode reporter called her.
Ruiz and the other security experts Recode spoke to also expressed concern about the number of trackers Walgreens posted on its confirmation pages. They noted the ability of companies that own these trackers — including Adobe, Akami, Dotomi, Facebook, Google, InMoment, Monetate, as well as some of their data sharing partners — to absorb patient IDs, which can be used to find out The URLs of meeting pages and access to the information they hold.
“Only the large number of third-party trackers attached to the recruitment system is a problem before you consider the careless setup,” said O’Brien of Yale.
The analysis by Edwards, a privacy researcher, found that several of these companies receive URIs or Uniform Resource Identifiers from meeting pages. They could then be used to access patient data if the receiving company is so willing. He said this type of leak was similar to what he found on websites, including Wish, Quibi and JetBlue, in April 2020 – but “much worse” because in those cases, only email addresses leaked.
“It’s either a targeted flow of advertising technology that would be really disappointing, or a colossal mistake that puts a huge portion of Walgreens customers at risk of disrupting the data supply chain,” Edwards said.
Walgreens told Recode that this is a “top priority” for protecting patients’ personal information, but it must also balance the need to protect information with making the Covid-19 test “as accessible as possible to people looking for test ‘.
“We are constantly evaluating our technology solutions to provide safe, secure and affordable digital services to our customers and patients,” Walgreens said.
Again, Walgreens did not resolve the issues before the extended Recode deadline granted to the company, nor would it tell Recode if it planned to do so. He did not address Recode’s questions for ad tracking, except that he indicated that the use of cookies was explained in his privacy policy. However, cookie tracking was not the problem Recode and Ruiz identified to Walgreens, and the company did not comment further when it was explained.
“It’s a clear example [of this type of vulnerability], but with Covid data and tons of personally identifiable information, ”Edwards said. “I am shocked that they are refuting this clear violation.”
The data of Ruiz’s family members, along with those of potentially millions of other patients, remain relevant to this day.
“This is just another example of a large company prioritizing its profits over our privacy,” he said.
[ad_2]
Source link