The personal information of potentially millions of Walgreens customers could be vulnerable, say security experts.
According to reporting from Recode, the nation’s largest pharmacy failed to protect the personal data of customers who got a COVID-19 test at one of its locations nationwide—and that could make information including names, dates of birth, gender identities, phone numbers, addresses, and emails available to everyone from hackers to ad trackers.
A spokesperson for Walgreens disputed the report, providing the following statement: “Protecting personal information of our customers and patients is always one of our highest priorities, which we take very seriously. We have implemented a strong security program to protect our patient data. This article is not an accurate assessment of our security protections in place on our Covid-19 testing website.”
The issues center around Walgreens’ COVID test registration system, which customers must use if they wish to be tested. Once patient information is entered, the system generates a 32-digit ID number associated with the patient. That ID number is included in the appointment request page—and anyone with the URL can access the page.
Those pages remain active for at least six months, Recode reports.
While the appointment pages themselves don’t list all of the personal information patients enter, that information is accessible via a browser’s developer tools panel. Also accessible is the name of the lab that performed the test, which could help others discover the results of your test.
The pages are also loaded with ad tracking software, which could allow companies ranging from Akamai to Facebook to Google access to the information.
A determined hacker could write a bot that could guess many of those ID numbers, scraping the information and using it to potentially hack other accounts or steal the patient’s identity. Experts note that randomly guessing a number, though, would be extremely challenging.
“Statistically, the probability of being able to access a patient record by randomly guessing equates to one in multiple trillions, since the system randomly generates a unique, 32-digit hexadecimal URL link,” said a Walgreens spokesperson in a statement. “We have multiple layers of security to mitigate the risk of unauthorized access to Covid testing data. We are not aware of any credible evidence of unauthorized access to patient data. We work with industry-leading cybersecurity experts to ensure that appropriate security is in place which regularly evolves to respond to changing threats. During the Covid-19 pandemic, our stores and pharmacies have provided safe, reliable testing to our communities across America.“
Walgreens has been a hub for COVID testing and vaccine dispersal. Barclays predicts the chain will administer about 12.5% of all U.S. vaccines. And that has presented the company with an opportunity to win over customers to its retail business, as well as future ventures.
Update, September 14, 2021: This article has been updated with a comment from Walgreens.
Subscribe to Fortune Daily to get essential business stories straight to your inbox each morning.
