The #pharmacy#chain in question, which is happy to give both your #prescription (and presumably #vaccination) #records to pretty much anyone who wants them, in addition to letting them see when your prescriptions are eligible for refill, order those refills, and turn on OR OFF automatic fills for your prescripts is ...
Following links on the Shoppers' site, privacy issues are directed to the Chief Privacy Officer at Loblaws, their parent corporation. #Loblaws bought #Shoppers some years ago in a megamerger.
Shoppers is, I believe, the single largest source of #Canadians' #prescriptions. So this affects a lot of Canadians.
I tried to engage in #responsible#disclosure. I emailed the person in question, twice. I have the logs from my email server showing the messages getting to them.
I did not even receive an acknowledgement that they received my emails, despite knowing they did receive them.
So... if you've ever filled a prescription at Shoppers, or possibly even just received a #vaccine there, be aware that anyone who can guess which location you deal with and knows your #name and #phone number, can create a web #account attached to your medical files at Shoppers.
That attacker can see exactly what you've been prescribed - helpfully including both the brand name and the generic name - in what dosage, how often you take it, and which doctor prescribed it.
Most #people would consider this #information highly personal, and would expect Shoppers to #guard it carefully. It appears that isn't the case.
This is a violation of the Personal Information Protection and Electronic Documents Act, which has applied to medical settings since 2002.
For example, Shoppers has a mobile app, but I haven't tried it. I would guess creating an account on their website would result in #credentials usable in the app, but haven't checked (no mobile device).
Shoppers uses a Loblaw's-wide #login system. So this might also apply to pharmacies in other Loblaw's companies (Loblaw's, Great Canadian Superstore, etc), but I haven't looked at those either.
Not responding to notifications of severe privacy/security violations is, frankly, criminal.
If any reporter is interested, I'm happy to discuss it. If you like, I can explain:
exactly what the problem is
how I discovered it
what measures Shoppers' systems should have included to make this attack impossible in the first place
what Responsible Disclosure is and how it works
what standard, industry-wide IT security practice mandates for systems handling confidential data, and which this problem demonstrates Shoppers didn't even attempt to do
I thought of one more avenue that might cause them to sit up and take #notice.
(3) some #lawyer decides to start a class-action #lawsuit against the Loblaw corporation for negligently potentially exposing many thousands of Canadians' highly confidential medical history to pretty much anyone who wants it, and then #negligently failing to do anything about it once informed of that fact.
That lawyer can feel free to #tip me 1% of the proceeds in thanks, I guess.
Add comment