How do you order your prescriptions and refills? Many folks use online pharmacies because of the competitive prices and convenience they provide. But, that could also be putting your personal information at risk. A security flaw discovered on the popular online pharmacy PillPack.com could have exposed private customer information to hackers.
When a new customer signs up on PillPack.com, the company uses their identifying information to pull their prescription history from pharmacies they've used in the past.
Security professional Yakov Shafranovich discovered a glaring problem with PillPack.com's verification process. When looking up previous pharmacy information, it only used name and birthdate to verify identities instead of other identifying information like Social Security number. That means anyone could access your information using just your full name and birth date.
To replicate this issue, an attacker would be directed to the PillPack.com website and choose the signup option. As long as the full name and the date of birth entered during signup match the target, the attacker will gain access to the target's full prescription history.
PillPack.com has since fixed the problem. The site now uses additional measures to verify identities so that easily accessible information like your name and birthday isn't the only thing protecting your prescription history from criminals. But, that doesn't mean the problem is completely solved.
While the vulnerability in this disclosure only affects one pharmacy, it is a sign of a large misalignment in security design of existing health care systems. The underlying networks interlinking the pharmacies are assumed to be accessible by licensed pharmacists only, operating under strict state and federal laws, and have not been designed with Internet connectivity in mind.
Your healthcare data is extremely valuable to hackers. Hopefully, other online pharmacies take this as a warning and check their systems to make sure they're secure.