Potential Walgreens Privacy and HIPAA issues?

It appears that Walgreens has some potentially serious Privacy and HIPAA issues on their web site.

We have a report about a parent who was creating a Walgreens account for their child so they could print out the receipts. It appears that you can create an account for anyone as long as you know their birthday and name.

The steps are as follows.

1. One uses the Rx sign-up option:
https://www.walgreens.com/register/pharmacyRegistration.jsp

2. Enter the person’s name, gender, and birthday. Fill in the rest of the form with an address, phone number – the information does not have to match the person who’s prescription it is. The reader used their address address and their phone number, instead of the child’s other parent’s address. Ditto for the phone number.

3. Walgreens will want you to call from the phone number you entered and enter a security code. If you call from a different number, Walgreens will transfer you to a person who will ask what phone number you entered and probably the name of the person.

4. Once you do that, it is verified and you have access to anyone’s prescription history at Walgreens going back at least to 2012.

We have verified the above procedure too, and it does indeed seem that Walgreens needs to do a better job at protecting customer’s information.

[Update May 3, 2015:
It appears that PillPack.com has a similar issue:
http://blog.shaftek.org/2015/05/01/security-advisory-pillpack-com/

]

Leave a Reply