Walgreens customers in Philadelphia may have had their prescription information stolen during the widespread looting that took place in May, the retailer disclosed in a letter last week.
Thieves stole filled prescriptions and paper records with health information from about 180 Walgreens stores nationwide between May 26 and June 5, the company wrote in a July 24 letter. The potentially exposed data — from paperwork attached to prescriptions awaiting pickup — includes customer names and ages, their medication names and dosages, prescription numbers and prescriber names, health plan names and group numbers, vaccination information, and their addresses, phone numbers, and email addresses, according to the letter.
Credit card numbers, banking information, and Social Security numbers were not compromised, the company wrote. In the letter, Walgreens said it closed out and re-entered affected prescriptions in its system to prevent fraud. Insurance claims were also reversed for any stolen filled prescriptions that had already been billed to health plans.
A Philadelphia resident who contacted The Inquirer got a letter informing him that “your preferred Walgreens” was among those broken into. The customer, who requested anonymity because he is considering a lawsuit, said he got his prescriptions filled at the Walgreens at 1809 E. Allegheny Ave.
A Philadelphia police spokesperson confirmed that the store was burglarized on May 31, and that the department’s East Detectives Division is investigating.
Walgreens spokesperson Jim Cohn declined to say how many stores were looted and which Philadelphia outlets were affected. About 180 of the company’s 9,200 locations were affected by the potential data breach, he said.
“Like many retailers, pharmacies and local businesses across the country, we recently had a number of stores sustain varying degrees of damage as a result of vandalism and theft,” Cohn said in a statement. “As part of a comprehensive investigation and review of the damage, we learned there was also limited unauthorized access to certain patient information at some of these damaged locations.”
Walgreens has worked with law enforcement and is evaluating the safeguards it uses, he added.
Owners of the Walgreens chain told investors in July that they lost $75 million in uninsured “store damage and inventory losses as a result of looting in the U.S. during May 2020,” The Inquirer reported. Rival chains CVS and Rite Aid suffered damage, too.
Walgreens has advised customers to monitor their prescription and medical records, such as by reviewing their benefits statements from health insurance companies. Although financial information was not stolen, Walgreens told customers how to obtain free credit reports.
Pharmacies are subject to the Health Insurance Portability and Accountability Act (HIPPA) and must maintain physical security to keep health information confidential, said Anthony Vance, the director for the Center for Cybersecurity at Temple University’s Fox School of Business. Pharmacies must also conduct a risk analysis that considers the ways such data could be taken, he added.
“I haven’t seen the risk analysis, but it probably did not take into account the possibility of riots,” Vance said. “So it doesn’t mean that they’re being negligent. It just may well be that they didn’t take into account that someone could storm a store.”
The Walgreens case is still an information security breach in Vance’s book, even if it’s a low-tech one dealing with stolen paper.
“It’s just that most people, when they think of information security, they think of computers and networks,” he said. “It’s easy to forget that information security also applies to paper and to trash. And in this case, the physical packaging.”