The second-largest pharmacy chain in the US recently disclosed a data breach that may have compromised the personal health information (PHI) of more than 72,000 individuals across the United States.
According to Walgreens spokesman Jim Cohn, prescription information of customers was stolen during May protests, when around 180 of the company’s 9,277 locations were looted.
Following the investigation, the company sent out notification letters to potentially affected customers on July 24.
“Sometime between May 26 and June 5, 2020, various groups of individuals broke into multiple Walgreens stores and forced entry into the secured pharmacy at select locations, including your preferred Walgreens,” the letter reads. “Among the many items stolen were certain items containing health-related information —such as filled prescriptions waiting for customer pick up and paper records”.
Although Walgreens assured customers that no Social Security numbers or financial information such as credit card or bank details was compromised, the stolen paper trail may have included a variety of personal and health information, including:
• Full name, address, date of birth/age, phone number and email address
• Clinical information such as medication name, strength, quantity and description
• Prescription number along with prescriber name, health plan name and group number
• Vaccination information including eligibility information
• Balance rewards number and Photo ID numbers
The letter also notes that the company closed out and re-entered impacted prescriptions in their system to prevent potential fraud regarding the original prescription.
“Insurance claims were also reversed for any stolen filled prescriptions that had already been billed to health plans,” Walgreens added.
Although the company has taken precautions to prevent fraudulent use of customer information, Walgreens is also providing complimentary 12-month credit monitoring. They advise affected individuals to monitor their prescriptions and medical records to protect against medical identity theft, and activate their free identity-theft monitoring membership as soon as possible.
The Walgreens data breach holds a distinct place in this year’s list of security incidents reported on the Office for Civil Rights (OCR) breach portal. With traditional data breaches, malicious actors specifically target unsecured severs or devices to gather sensitive data, spread malware or ransomware. However, cyberattacks are not the only way to steal personal information.
Even if the Walgreens data breach can be seen as an unfortunate side effect of the social turmoil that took US cities by storm in May, the incident should stand as a reminder that our personal data is not limited to the digital world. The paper trail we leave behind has an equal chance to fuel an identity thief’s next attack.