Walgreens COVID-19 test registration system left patient data unprotected - Recode

2 minute read

People work behind a pharmacy counter at a Walgreens store in Chicago, Illinois, U.S. February 11, 2021. REUTERS/Eileen T. Meslar

Register now for FREE unlimited access to

Sept 13 (Reuters) - Drugstore chain Walgreens Boots Alliance's (WBA.O) COVID-19 test registration system exposed data of potentially millions of people, including their phone numbers and email addresses, Recode reported on Monday.

The data also exposed names, dates of birth and gender identities on the open web for potentially anyone to see and for the multiple ad trackers on Walgreens' site to collect, the report said. (

In some cases, the results of these tests could also be taken from the exposed data, the report added.

Register now for FREE unlimited access to

Active unique patient IDs could be guessed, or a hacker could create a bot that rapidly generated URLs with the IDs in the hope of hitting active pages, security experts told Recode, giving them a source of biographical data about people they could potentially use to hack their accounts on other sites, according to the report.

Given how many characters are in the IDs and therefore how many combinations there are, the security experts said it’d be close to impossible to find just one active page this way, the report said.

"We routinely evaluate our technology solutions in order to provide safe, secure, and accessible digital services to our customers and patients and we regularly review and incorporate additional security enhancements when necessary," Walgreens said in a statement.

Register now for FREE unlimited access to
Reporting by Dania Nadeem, additional reporting by Sabahatjahan Contractor in Bengaluru; Editing by Krishna Chandra Eluri and Uttaresh.V

Our Standards: The Thomson Reuters Trust Principles.

More from Reuters