Skip to Content
© Kristijan Aranjos |
Security & privacy

Did you take a COVID test at Walgreens? Records of it were left open online

Millions of people across the country have stood in line for a COVID-19 test. By the last count, over 606 million tests have been conducted. Whatever your results were, if you got a COVID test from Walgreens, there is some bad news. Tap or click here for how to store your COVID vaccine card on your phone.

The pharmacy chain set up COVID-19 testing services for customers to use, making it easier to schedule a test and get the results. To do this, you have to supply personal details that include your name and email address.

But it turns out that the website isn’t as secure as it should have been. Through an investigation by a security researcher, it was found that Walgreens’ testing services lacked adequate protection from intrusion.

Here’s the backstory

The data of millions of customers were left out in the open on the company’s server, and anybody that knew where to look could find it. The exposed information from Walgreen’s customers who got tested include:

  • Name
  • Birthday
  • Gender
  • Phone number
  • Home address
  • Email address

In some cases, the results of the COVID-19 tests were also visible. The data could also have been harvested by Walgreens’ own advertising trackers. The data exposure was discovered by Alejandro Ruiz, and Vox’s tech publication Recode reported it to Walgreens.

The publication claims that Walgreens has yet to fix the problem, and only issued a generic statement. “We regularly review and incorporate additional security enhancements when deemed either necessary or appropriate,” Walgreens said. Either the pharmacy chain is aware of it, or they are playing down the severity of the situation.

What you can do about it

To get a test through Walgreens, you must sign up on its website. After putting all your details into the form, you are assigned a unique 32-digit ID number. This number makes up the URL for your appointment and any associated detail for it.

By leaving the number exposed, anybody with a link can simply change it to see what data is presented. There are no authentication measures in place. So anyone can access the modified URL without authorization.

If you think that your data might have been exposed, it is always a good idea to be on the lookout for anything suspicious. This can include spam emails or text messages, or phishing emails that want to gather more information. Here are a few ways to avoid becoming a victim of phishing emails:

  • Enable 2FA – When available, enable two-factor authentication as an extra step to lock down your account. Tap or click here to see how to set up 2FA for your frequently used online accounts.
  • Don’t click that link – Never click on links or open attachements found in unsolicited emails. They could be malicious and lead to tons of problems.
  • Scrutinize the sender’s email address – Look for anything out of the ordinary like small typos or spelling mistakes.

Keep reading

‘Smart’ coolers at Walgreens are watching you

Get your prescriptions by mail? Your medication could be at risk

Komando Community background

Join the Komando Community

Get even more know-how in the Komando Community! Here, you can enjoy The Kim Komando Show on your schedule, read Kim's eBooks for free, ask your tech questions in the Forum — and so much more.

Try it for 30 days