Error in Walgreens Mobile App Secure Messaging Feature Exposed PHI

Walgreens started notifying customers regarding the potential access of some of their protected health information (PHI) by other people because of an error in the Walgreens mobile app particularly its personal secure messaging feature.

The secure messaging feature makes it possible for registered customers to get SMS prescription refill alerts and deals and discount coupons. An undisclosed error in the app was found that permitted other customers to view the information in its database.

Affected customers were advised that other individuals may have viewed one or more personal messages from January 9, 2020 to January 15, 2020. The personal messages possibly disclosed patients’ first and last names, medication name and prescription number, store number, and shipping address. Walgreens reported that health-related information was simply exposed for a limited number of affected customers. There was no Social Security number or financial information included in the messages.

Based on a breach notice sent to the California Attorney General on Friday, Walgreens detected the error on January 15, 2020. Walgreens quickly disabled viewing of messages to avert any further unauthorized disclosures while the incident investigation is in progress. Walgreens confirmed that the problem was due to an internal application error and implemented a technical correction to resolve the problem.

The Walgreens mobile app has over 10 million downloads from the Google Play store, however, the problem just impacted a small percent of customers. As per the data breach summary on the Department of Health and Human Services’ Office for Civil Rights breach portal, the breach affected 6,681 people. The number of personal messages accessed by other customers due to the error is not clear.

Walgreens will do other tests of the mobile app later on before releasing any updated versions to make sure the updates will not impact customer privacy.

About Christine Garcia 1288 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA