In mid-January an error in the Walgreens app led to the leak of customers' secure messages. Specifically, the error allowed customers to see each other's information, including personal data such as names and prescription drug information.
The company announced the breach late last week, assuring customers that following the breach it disabled the message viewing feature in the app “to prevent further disclosure until a permanent correction was implemented.”
“Our investigation determined that an internal application error allowed certain personal messages from Walgreens that are stored in a database to be viewable by other customers using the Walgreens mobile app,” Rina Shah, VP of pharmacy operations at Walgreens, wrote in a letter to customers who were impacted. “Once we learned of the incident, Walgreens promptly took steps to temporarily disable message viewing to prevent further disclosure and then implemented a technical correction that resolved the issue.”
Individuals' financial information, bank information and Social Security numbers were not compromised. In the letter, Shah urged customers to monitor their prescription and medical records to make sure that an outside party has not made changes.
WHY IT MATTERS
App-based texting is now a mainstream way of connecting with healthcare providers and pharmacies. In the wake of this announcement, security professionals have been vocal about steps app makers must take to avoid this kind of situation in the future.
“While the language suggests that this was due to a system error rather than an attack against the application’s authorization, it highlights the importance of rigorously testing software,” Jack Mannino, CEO at nVisium, a Herndon, Virginia-based application security provider, said in a statement sent to MobiHealthNews. “Mobile applications and APIs have a lot of interfaces, where we need to understand how our systems behave when they fail, whether it’s through intentional attacks or inadvertent errors with unintended consequences.”
However, other stakeholders have a different take — praising the retail pharmacy’s response.
"I commend Walgreens for detecting the vulnerability in their mobile app and closing the gap in relative short order,” Fausto Oliveira, principal security architect at Acceptto, wrote in a statement to MobiHealthNews. “It appears that they have invested well in detective capabilities. Incidents will happen and how a company detects and responds to an incident along with the level of transparency that is used can go a long way in repairing lost customer trust."
THE LARGER TREND
HIPAA permits “readily producible” private health information to be transferred to a patient through their preferred medium, as long as the provider can do so in a way that wouldn’t present an “unacceptable level of security risk” to personal health information.
However, there are still a lot of questions about ensuring the safety of that information. In 2018, Xcertia, a standards and guidelines body for mobile apps, announced the draft release of its updated Privacy and Security Guidelines, which provide practical and descriptive advice for health app designers.