Walgreens has disclosed that a flaw in the personal secure messaging feature of its mobile app allowed unauthorized access to personal data stored in a Walgreens database. The company also said the issue did not impact financial data and affected a small number of customers.
Walgreens submitted a sample customer letter posted on the website of the State of California Attorney General.
“We recently learned of unauthorized disclosure of one or more of your secure messages within the Walgreens mobile app. We are contacting you to provide you with information about the incident and also with information about steps you can take to protect yourself,” signed by Rina Shah, PharmD and VP of Pharmacy Operations at Walgreens.
Walgreens discovered the issue on January 15, 2020 and confirmed the incident occurred between the 9th and the 15th of the same month.
The company said an “internal application error” allowed some personal messages stored in a database to be viewed by other customers who used the Walgreens mobile application.
The following personal data and “limited healthcare” information are impacted in the incident:
- First and last name
- Prescription number and drug name
- Store number
- Shipping address where applicable.
Finally, Walgreens said the incident likely impacted a “small percentage of impacted customers,” but did disable the message viewing feature within the Walgreens mobile app until a permanent fix is made available.