The breach in security, first reported by Alejandro Ruiz in March, is found through the pharmacy's COVID-19 test registration site. Because of the way the system is set up, each patient has their own unique URL they can visit which displays their own personal information. Unfortunately, a user can take the letters and numbers on the slug and switch them around. In some cases, this could load up the profile of someone entirely different.
Of course, if someone wanted to go through all possible combinations, they could create a bot to do that for them. The bot could then scrape the confidential data and put it into the hands of strangers.
"In some cases," Vox reports, "even the results of these tests could be gleaned from the data."
Additionally, Walgreens refused to acknowledge to Vox that the site was insecure. Days later, the pharmacy added identity authentication: date of birth. Vox reports "Multiple ad trackers are still present on patient pages," meaning that the corporate trackers Walgreens is using by default on their website are still scraping that data.
“Protecting personal information of our customers and patients is always one of our highest priorities, which we take very seriously,” the company said.