Vox said the issues stem at least as far back as July 2020 but could potentially trace back to April 2020. Anyone signing up for a test with the pharmacy as of Wednesday will be similarly exposed.
Test Data Exposed
Vox’s Recode published an alarming report Monday that accuses Walgreens of exposing and failing to protect the personal data of millions who signed up for COVID-19 tests through its “sloppy” registration system.
That exposed data reportedly includes people’s name, birthday, gender identity, phone number, address, email information, and in some cases, even their test results. All of this “was left on the open web for potentially anyone to see and for the multiple ad trackers on Walgreens’ site to collect,” Recode reporter Sara Morrison said in the article, published Monday.
According to Morrison, the exposed data potentially stretches as far back as April 2020, which is when Walgreens first began offering COVID-19 tests, but it definitively traces back at least to July 2020 given Recode’s findings.
The Issue Involves Test Confirmation Links
Security experts cited by Morrison said the vulnerabilities are basic issues that Walgreens, one of the largest pharmacy chains in the country, should have known how to prevent.
Essentially, anyone with a link to an appointment confirmation can view the full confirmation. There’s no need to log in or authenticate your identity any other way.
To make the situation even easier for bad actors, the links used to confirm appointments are exactly the same minus a unique patient ID contained in what’s called a “query string.” With millions of tests confirmed, it’s not hard for a hacker or a bot to start finding active pages, though a Morrison noted, it would be “close to impossible” to find a specific person through this method.
Still, it’s not totally impossible to find a specific person. If a patient views their confirmation link on a shared computer, such as one at work or a public library, anyone with the ability to check that computer’s browser history can click on the link and reap the person’s information.
“Security by obscurity is an awful model for health records,” Sean O’Brien, founder of Yale’s Privacy Lab, told Recode.
Walgreens Has Not Fixed the Issue
Even after one tech consultant discovered the issue in March and pointed it out to Walgreens multiple times, the company seemingly did nothing, according to Morrison.
From there, Recode said it informed Walgreens of the findings again and even gave it “time to fix the vulnerabilities before publishing” its piece, but once again, the company failed to do anything.
As of right now, anyone scheduling a COVID test with Walgreens appears to be at the same level of risk as those who previously registered. Not only is that a concerning privacy issue, but it could also discourage many from getting tested.
In statements to several outlets, Walgreens has not directly addressed the security concerns. For example, it only told Fox Business that it “routinely evaluate[s] our technology solutions in order to provide safe, secure, and accessible digital services to our customers and patients.”
For those seeking COVID tests and potentially discouraged by this news, it is important to remember that Walgreens isn’t the only pharmacy chain offering free tests. Cities and counties across the country are also continuing to offer free testing sites amid a spike in cases caused by the Delta variant.
See what others are saying: (Recode) (Fox Business) (Reuters)
Mental Health Startup Cerebral May Have Harmed Hundreds of Patients, Leaked Documents Reveal
The company is being investigated by multiple federal agencies for its questionable practices, which have come under increasing scrutiny in recent weeks.
Over 2,000 Incident Reports Shed Light on Recklessness
A Silicon Valley mental health startup called Cerebral may have harmed hundreds of patients by flagrantly disregarding medical standards, according to a cache of documents reviewed by Insider, as well as over 30 interviews with current or former employees by the outlet.
Founded in 2020, Cerebral provides mental health treatment to customers through talk therapy and medication for conditions such as depression, anxiety, insomnia, and ADHD.
With people quarantined during the pandemic, it became one of the largest virtual therapy firms in the United States, attracting some $462 million from investors.
Cerebral employees filed at least 2,060 incident reports during seven months in 2021, according to Insider. They show that the company enrolled patients with complex conditions like bipolar disorder, then assigned them to clinicians and other staff members with insufficient training, oversight, and support to treat such cases.
It also put dozens of patients on questionable treatment plans and misdiagnosed many others, the reports say, with company medical providers prescribing potentially lethal combinations of drugs or addictive drugs to patients with histories of addiction.
Additionally, many patients were left stranded without care for extended periods due to technology issues or the company’s failure to retain clinicians.
As a result, Cerebral shuffled patients from one provider to the next and even bungled their prescriptions, sometimes leading them to suffer drug withdrawal or take the wrong medication.
Patients Tell Their Stories
One patient reportedly spent two weeks waiting for a referral to a clinician, later saying she spent eight days in a psychiatric ward.
Another patient told CBS News she was prescribed a drug for her anxiety but afterward could not reach her prescriber for instructions on how to switch to the new medication safely.
“Any time I needed help, she was never available,” she said.
After she did not get a response for six days, she began taking the drug anyway, which caused her to break out in a rash.
“I messaged back,” she said, “letting them know it was spreading and getting worse, and they said that they were still trying to get a hold of that prescriber… They make it seem like they want to help, and then they get you, and then they’re gone.”
A Cerebral spokesperson told Insider that the reports did not highlight enough patients to accurately reflect the company.
“Any incident reports you obtained show Cerebral’s dedication to quality,” the spokesperson said. “You can’t take a relatively small group of incident reports and draw conclusions about our care.”
Two former senior employees told the outlet those reports were monitored by just a couple of people who had other responsibilities at the company, adding that leadership frequently pushed off solving the systemic issues flagged.
Cerebral’s practices are currently being investigated by the Drug Enforcement Administration, the Department of Justice and the Federal Trade Commission.
See what others are saying: (Business Insider) (CBS News) (Fierce Healthcare)
Instagram Testing New Tools To Verify Users Are Over 18
The new tools include AI software that analyzes video footage of a person’s face to verify their age.
Instagram Cracks Down on Underage Users
Instagram is testing new features in the United States to verify the age of users who claim to be over 18 years old.
According to a statement from Instagram’s parent company, Meta, the tools will only apply to users who seek to change their age from under 18 to over 18. The platform previously asked for users to upload their ID for verification in this process, but on Thursday, it announced there will be two new methods for confirming age.
One of the strategies was referred to as “social vouching.” Using this option, people can request that three mutual Instagram followers over the age of 18 confirm their age on the platform.
The other method allows users to upload a video selfie of themselves to be analyzed by Yoti, third-party age verification software. Yoti then estimates a person’s age based on their facial features, sends that estimate to Meta, and both companies delete the recording.
According to Meta, Yoti cannot recognize or identify a face based on the recording and only looks at the pixels to determine an age. Meta said that Yoti “is the leading age verification provider for several industries around the world,” as it has been used and promoted by social media companies and governmental organizations.
Still, some question how effective it will be for this specific use. According to The Verge, while the software does have a high accuracy rate among certain age groups and demographics, data also shows it is less precise for female faces and faces with darker skin tones.
Issues With Kids on Instagram
Meta argues that it is important for Instagram to be able to discern who is and is not 18, as it impacts what version of the app users have access to.
“We’re testing this so we can make sure teens and adults are in the right experience for their age group,” the company’s statement said.
“When we know if someone is a teen (13-17), we provide them with age-appropriate experiences like defaulting them into private accounts, preventing unwanted contact from adults they don’t know and limiting the options advertisers have to reach them with ads,” it continued.
These changes come as Instagram has been facing increased pressure to address the way its app impacts younger users.
Only children 13 and older are allowed to have Instagram accounts, but the service has faced criticism for not doing enough to enforce this. A 2021 survey of high school students found that nearly half of the respondents had created a social media account of some kind before they were 13.
The company also recently came under fire after The Wall Street Journal published internal Meta documents revealing that the company knew that it harmed teens, including by worsening body image issues for young girls and women.
See what others are saying: (The Verge) (The Wall Street Journal) (Axios)
Elon Musk Threatens to Fire Employees Unless They Work in Person Full-Time
The world’s richest man in the world previously suggested that the popularity of remote work has “tricked people into thinking that you don’t actually need to work hard.”
“If You Don’t Show up, We Will Assume You Have Resigned”
On Wednesday, Electrek published two leaked emails apparently sent from Elon Musk to Tesla’s executive staff threatening to fire them if they don’t return to work in person.
“Anyone who wishes to do remote work must be in the office for a minimum (and I mean *minimum*) of 40 hours per week or depart Tesla,” he wrote. “This is less than we ask of factory workers.”
“If there are particularly exceptional contributors for whom this is impossible, I will review and approve those exceptions directly,” he continued.
Musk then clarified that the “office” must be a main office, not a “remote branch office unrelated to the job duties.”
“There are of course companies that don’t require this, but when was the last time they shipped a great new product? It’s been a while,” he wrote in the second email.
Later on Wednesday, a Twitter user asked Musk to comment on the idea that coming into work is an antiquated concept.
He replied, “They should pretend to work somewhere else.”
The Billionaire Pushes People to Work Harder
Musk has a history of pressuring his employees and criticizing them for not working hard enough.
“All the Covid stay-at-home stuff has tricked people into thinking that you don’t actually need to work hard. Rude awakening inbound,” he tweeted last month.
Three economists told Insider that remote work during the pandemic did not damage productivity.
“Most of the evidence shows that productivity has increased while people stayed at home,” Natacha Postel-Vinay, an economic and financial historian at the London School of Economics, told the outlet.
Musk is notorious for criticizing lockdown mandates and went so far as to call them “fascist” during a Tesla earnings call in April 2020.
Not long before that, Tesla announced that it would keep its Fremont, California plant open in defiance of shelter-in-place orders across the state.
In an interview with The Financial Times last month, Musk blasted American workers for trying to stay home, comparing them to their Chinese counterparts whom he said work harder.
“They won’t just be burning the midnight oil. They will be burning the 3 a.m. oil,” he said. “They won’t even leave the factory type of thing, whereas in America people are trying to avoid going to work at all.”
That same day, Fortune published an article detailing how Tesla workers in Shanghai work 12-hour shifts, six days out of the week, sometimes sleeping on the factory floor.