A Walgreens store in Riviera Beach, Florida.
A Walgreens store in Riviera Beach, Florida.

Millions of consumers that had a COVID-19 test at a Walgreens (WBA) pharmacy store may have had their personal data exposed on the open web.

According to Recode, the drugstore chain may have leaked phone numbers and email addresses as well as names, dates of birth, and gender identities of COVID test takers on the open web for anyone to see and for numerous ad trackers on the Walgreens’ site to collect.

Potentially the COVID-19 test results could have also been exposed, Recode said.

In a statement, Walgreens said about the breach, “We routinely evaluate our technology solutions in order to provide safe, secure, and accessible digital services to our customers and patients and we regularly review and incorporate additional security enhancements when necessary.”

Recode’s report determined that hackers could have guessed or created bots that generated the unique patient IDs of the COVID-19 test recipients in a search of active pages on Walgreens’ portal, which would have given them the personal data they needed to hack their accounts on other websites.

Security experts told Recode that given the ID’s 32-character length and the number of available combinations, it would have been close to impossible to find just one active page this way, meaning that tons of accounts were likely exposed.

It is unclear how long the data was accessible on the open web, but Alejandro Ruiz, a consultant with Interstitial Technology PBC, who discovered the issue, found it in March. Walgreens has been offering COVID-19 testing since April 2020 across 6,000 testing sites.

As of Tuesday at 12:54 p.m. ET, shares of Walgreens were trading at $48.45, down 73 cents, or 1.48%.

Walgreens

Photo: Joe Raedle/Getty Images