March 23, 2016, 4:38 PM

Walmart.com exposes patient pharmacy records

Coding tied to a change in servers caused personal data on up to 5,000 patients to be visible for several days.

Lead Photo

Exposed consumer data—either hacked or openly displayed because of computer glitches, sloppy workflow and human error—remains a consistent problem with online pharmacies. This time the problem belongs to the online pharmacy on Walmart.com.

Wal-Mart Stores Inc., No. 3 in the Internet Retailer 2015 Top 500 Guide, confirms that between Feb. 15 and 18 the company exposed personal information, including name, address, date of birth and prescription history, of potentially as many as 5,000 customers who buy and refill prescriptions through the online pharmacy. The personal data and medical records were visible when other consumers logged on to Walmart.com’s pharmacy pages.

No debit card, credit card or Social Security information was compromised. The problem wasn’t attributable to an outside hacker but occurred because of coding errors during a migration to a new server. "A software coding error for a 72-hour period from Feb. 15-18 affected a limited group of online pharmacy customers," says a spokesman.

Walmart.com says it moved quickly to notify consumers whose information was exposed. Walmart.com isn’t saying much about the specifics of what caused sensitive consumer information to become exposed during a data transfer between servers—or what corrective measures the company is taking to prevent the problem from happening again. “I can confirm the details but beyond that I don’t have any additional details to share,” the spokeswoman says.  

Exposed data—and data hacking—are a consistent problem for some pharmacy chains and other chain retailers that operate an online pharmacy. In July, CVS Caremark Corp. (No. 109 in the Top 500) and Costco Wholesale Corp. (No. 11) temporarily closed the online photo service pages on their respective sites after the third-party service provider—PNI Digital Media, a unit of office supplies retailer Staples Inc.—acknowledged that hackers were able to break in and steal online customer information, including payment card data and email addresses. It remains unclear how many customers were impacted by the data breach. CVS and Costco have since resumed online photo processing after enacting security improvements or choosing a new vendor. CVS now uses Snapfish.com. At the time of the breach both retailers also offered customers up to one year of free credit monitoring and personal identification protection.

“As a precaution, we temporarily shut down access to online and related mobile photo services, but CVSPhoto.com resumed service in late 2015 to accept photo orders,” a CVS spokesman says. “Financial transactions for online photo orders are now handled in-store at CVS Pharmacy when customers pick up their photos.” 

Even the though it wasn’t a data hack at Walmart.com the fact that any personal web shopper information, especially medical records, was exposed is a serious problem, says Avivah Litan, a data security analyst with research firm Gartner. “This is a big deal because Wal-Mart is known for its strong security and it’s very unusual for them to have an issue like this,” she says.

 

comments powered by Disqus
Get a Free Subscription to IR

From The IR Blog

FPO

Wendy Wallner / Mobile Commerce

How retailers can make their mobile apps ‘stickier’

An app should be the easiest way to make a purchase, and offer other benefits, ...

FPO

Emily Carrion / Mobile Commerce

5 ways retailers can spiff up their mobile apps for the holidays

Effective apps not only boost sales, they provide an easy way to obtain customer feedback.

Advertisement