If you have a Covid-19 test at Walgreens, most of your information – including your name, date of birth, gender, phone number, address, and email – is left online for everyone to view and post multiple trackers on the Walgreens page to collect. In some cases, even the results of a test can be obtained from the same source.
The demonstration could affect millions of people who use – or continue to use – Walgreens’ Covid-19 testing activities during the epidemic.
Several security experts told Recode that the complications found on this page are the most important ones that one of the largest medical websites in the United States should have known given. Walgreens ali they exalted themselves as a “essential partner for testing,” and the company is reimbursed for those tests by insurance companies and the state.
Alejandro Ruiz, consultant for Interstitial Technology PBC, realized this in March after the birth of the Covid-19 test. He is said to have made contact with Walgreens via email, phone, and via the website form of security. The company did not respond, he said, which did not surprise him.
“Any company that has made major mistakes in a program that uses health information is the one that doesn’t take security,” Ruiz said.
Recode informed Walgreens of Ruiz’s findings, which were confirmed by two other security experts. Recode gave Walgreens time to resolve the issue before publishing, but Walgreens did not.
“We look at the frequency and integration of additional security features if they appear to be necessary or appropriate,” the company told Recode.
Much of the public information may be disclosed to many advertising and data companies to use for their own purposes, or they may be disappointed to receive a Covid-19 test from Walgreens if they do not believe their data will be secure. Platform problems are also present china For example how technically it is meant to support the epidemic’s efforts to capture or use it quickly and recklessly so that you can catch it privacy and security meditation.
Walgreens would also not say that his writing platform on testing has had such difficulties. They go back as far as March, when Ruiz finds them, and probably longer than that. Walgreens ali provided The Covid-19 test from April 2020, with the Wayback Machine, which stores online archives, demonstrations pages analysis of validation tests since July 2020, showing that the issue has been resumed for some time.
These problems are in the Walgreens’ Covid-19 test registry, which anyone who wants to be tested by Walgreens should use (unless purchased over the counter test). When the patient registers and submits the form, he or she is assigned a 32-digit ID number and a selection page is created, which contains a unique ID in the URL.
Anyone with a page URL can see the details; there is no need to prove that I am ill or to log into an account. The site remains active for six months, or longer.
“Walgreens’ s innovative methods of protecting people’s privacy have not been developed,” Zach Edwards, a privacy analyst and founder of analytics company Victory Medium, told Recode.
The URLs of these pages are the same except for the unique patient ID contained in the so-called “query string” – the part of the URL that begins with the query. While millions of trials at more than 6,000 Walgreens sites are tested using this style, there are probably millions of IDs out there. A functional symbol can be thought of, or a hacker can create a bot that generates URLs quickly and hopefully hit any pages that come out, security experts told Recode, and give them a source of information about potential users. which can be used for theft their accounts on other pages. But, depending on how many are in the IDs and why there are mixed ones, he said it would not be possible to get just one page this way – even with millions of them out there. Of course, near the impossible is not the same as the impossible.
Anyone with a browsing experience for someone else can view the page. This could include co-workers who log in to employees’ online activities, for example, or someone who can use a computer browser in a group or in a shared group.
“Hidden security is the worst kind of health care,” Sean O’Brien, founder of Yale’s Privacy Lab, told Recode.
What makes this loss worse is just reading more on the page and who can find it. Only those patients, type of test, selection time and location are available and appear on the public page, but more than the background, which is available through each browser.
As with the vaccine, Walgreens needs more information to register for the exam: full name, date of birth, phone number, email, email address, and gender identity. And with a little click of a browser browser tool, anyone who can find another patient’s page can find this.
:no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/22832523/walgreens_json_payload_blurred.jpg)
Included is “orderId,” as well as the name of the lab that performed the test. That’s all one would need to get a test result through one of the Walgreens ’Covid-19 test statistics, though only the results of the last 30 days were found when a Recode reporter looked at him.
Ruiz and other Recode security experts also expressed concern over the number of Walgreens trackers posted on his confirmation page. He also said that companies with these trackers – including Adobe, Akami, Dotomi, Facebook, Google, InMoment, Monetate, and their data-sharing partners – can swallow patient IDs, which can be used to find URLs of selected pages and find them. a lot of what he has.
“Only a handful of third-party candidates have a problem with the selection process, before you think about it,” said O’Brien of Yale.
A study by Edwards, a privacy analyst, found that most of these companies were finding URIs, or Uniform Resource Identifiers, in selected pages. This can be used to get sick if the host company would like it. He said the loss was the same his findings on websites including Wish, Quibi, and JetBlue in April 2020 – but “very bad,” because only emails were released during this period.
“This is either a way to get into professional marketing, which can be really frustrating, or a big mistake that has put a large portion of Walgreens’ customers at risk of data breach,” Edwards said.
Walgreens told Recode that it was “first and foremost” to protect patient information, and that it should also balance the need for more information and make Covid-19 testing “possible for people who want to test.”
“We continue to monitor our professional responses to find reliable, secure, and feasible services for our clients and patients,” Walgreens said.
Once again, Walgreens did not settle the matter on the last day before Recode was presented to the company, nor could it tell Recode if he wanted to do so. He did not respond to Recode’s queries regarding advertisers but stated that the use of cookies was defined as confidential. However, tracking cookies was not a problem that Recode and Ruiz identified with Walgreens, and the company did not respond to any further requests.
“This is an obvious example [of this type of vulnerability], but with Covid’s knowledge and tons of information you can identify, “Edwards said.” I’m sorry he’s denying this. “
Much of Ruiz’s family, as well as that of millions of other patients, is still intact.
“It’s just another example of a large company that prioritizes its profits rather than being isolated,” he said.