When I first saw a headline in my newsfeed, “Local man finds another Walgreen customer’s info,” I thought this was going to be another story about improper records disposal. My first thought was, “Wow, after all Walgreen has gone through and may still be going through on records disposal, this is the last thing they need.”
But as I read the news coverage by Michael Finney, I realized that this was about an electronic breach involving their online site, walgreens.com.
Finney explains on ABC that a customer who logged in to get his prescription records discovered that he was seeing the records of another customer complete with the other customer’s phone number, the names of their prescription medications, the prescribing doctors’ names, and how much they had paid for their prescriptions and when.
From a medical confidentiality standpoint, this is a serious privacy/HIPAA problem. From a health care standpoint, it’s also potentially problematic as it created a false medication record about the customer that might confuse or confound his treatment or insurance at some point.
The customer notified his local Walgreens’ store manager who assured him corporate would look into it. But two months later, the problem still existed and the customer was still seeing someone else’s records and not his own. It was only after the customer contacted the news media that Walgreens got on it.
In a statement Walgreens gave to the news station, they wrote, in part:
“We are sorry this occurred and have apologized to the patient. We take online security very seriously, and the customer’s account has now been fixed. To ensure users are accessing the correct information, we have a multi-step authentication process to verify the user’s identity online. In addition, we have updated our process for matching patient profiles with online users. We also continue to investigate what happened in this case to help ensure issues are resolved promptly and a similar situation doesn’t happen again.”
It’s unclear how many other customers may have been viewing other customers’ prescription records or why it took Walgreens over two months to respond to notification that their site had a problem and was leaking data. It’s also unclear why their multi-step authentication was inadequate.
Walgreens has not responded to two phone messages left for them today requesting additional information about the problem but if/when I get additional information, I’ll post it.