Looting Causes Data Breach at Walgreens

The personal health information (PHI) of over 72,000 Walgreens customers has been exposed after looters broke into nearly 200 stores and stole prescriptions. 

America's second-largest pharmaceutical chain contacted impacted customers in July to disclose the data breach. Walgreens spokesperson Jim Cohn told the Philadelphia Inquirer that 180 Walgreens stores had been looted but declined to state which specific ones. 

“As part of a comprehensive investigation and review of the damage, we learned there was also limited unauthorized access to certain patient information at some of these damaged locations,” Cohn said in a statement. 

Walgreens said that while paper records and filled prescriptions were swiped by looters, no financial information or Social Security numbers belonging to customers were exposed. 

In a breach notification letter dated July 24, Walgreens wrote: “Sometime between May 26 and June 5 2020, various groups of individuals broke into multiple Walgreens stores and forced entry into the secured pharmacy at select locations, including your preferred Walgreens.

“Among the many items stolen were certain items containing health-related information — such as filled prescriptions waiting for customer pick up and paper records.”

Sensitive information exposed in the spate of looting included customers' full name, address, date of birth/age, phone number, email address, balance rewards numbers and photo ID numbers. Vaccination information was also exposed along with prescription details and clinical and health plan information.

The letter went on to state: “Upon learning of the potential compromise of information, Walgreens promptly took steps to close out and re-enter impacted prescriptions in our system to prevent potential fraud regarding the original prescription.”

Walgreens said that it was coordinating with local law enforcement where appropriate and had taken steps to reverse insurance claims for any stolen filled prescriptions that had already been billed to health plans. 

Impacted customers were offered one year of credit monitoring free of charge and were given advice on how to obtain and monitor credit reports. Customers were further advised to “follow-up with your insurance company or the care provider for any items you don’t recognize.”

According to data in the Office for Civil Rights (OCR) breach portal, the data breach may have affected 72,143 Walgreens customers.

What’s Hot on Infosecurity Magazine?