Some confidential messages sent to Walgreens customers via its mobile app were viewable by other customers, according to a Walgreens notification letter seen by ZDNet.
The app’s messaging feature allows registered customers to receive pharmacy alerts that include prescription refill notifications.
Walgreens said the data was exposed from January 9 until January 15.
“Once we learned of the incident, Walgreens promptly took steps to temporarily disable message viewing to prevent further disclosure and then implemented a technical correction that resolved the issue,” the company wrote in the letter.
The pharmacy giant’s investigation into the incident revealed that “certain messages containing limited health-related information were involved in this incident for a small percentage of impacted customers.”
Specifically, the data included a customer’s first and last name, prescription number and drug name, store number, and, in some cases, the shipping address.
The company pointed out that no financial data — including Social Security numbers and bank account information — was involved in the incident. Nevertheless, the idea that highly personal information linked to health matters may have been seen by random strangers is likely to be of some concern to those affected.
The letter from Walgreens also included information on action that affected customers can take to protect their data from misuse, such as tips on identity theft protection.
Walgreens’ mobile app has had more than 10 million installs on Android. The install count for iOS isn’t listed, though it has received more than 2.5 million ratings by those who use it. The app receives high scores on both app stores, making the security error all the more disappointing for those who had placed faith in Walgreens’ ability to look after their data.
We’ve reached out to the Illinois-based company to ask how many of its customers have been affected by the bug and we will update this piece when we hear back.
Of course, this isn’t the first time that a company trusted with customer information has left it exposed online, and it won’t be the last. Just recently, smart-device maker Wyze revealed a number of data breaches that left personal data linked to millions of its customers exposed online, while Microsoft, USPS, and Tumblr, among others, have also suffered similar incidents.
