Walgreens reports data breach affecting 72,000 individuals

Walgreen Co., the second largest pharmacy chain in the United States, recently reported a breach that may have involved the protected health information (PHI) of more than 72,000 individuals, according to data in the Office for Civil Rights (OCR) breach portal.

In a letter to affected individuals dated July 24, Walgreens said the data was compromised sometime between May 26 and June 5 as various individuals broke into multiple Walgreens stores and stole items containing health-related information, such as filled prescriptions waiting for customer pickup and paper records.

A Walgreens spokesperson told the Philadelphia Inquirer that approximately 180 of the company’s stores across the country were affected by the potential data breach.

The following data elements may have been affected during the breach:

• Address
• Balance Rewards number
• Clinical information such as medication name, strength, quantity, and description
• Date of birth and/or age
• Email address 
• First and last name
• Health plan name and group number
• Phone number
• Photo ID number - Driver’s license, state ID, military ID, or passport (e.g., for purchases such as pseudoephedrine)
• Prescription number
• Prescriber name
• Vaccination information, including eligibility information

In the letter to the affected individuals, Walgreens said it took steps to close out and re-enter impacted prescriptions in its system to prevent potential fraud regarding the original prescriptions. Walgreens also informed individuals that insurance claims were reversed for any stolen filled prescriptions that had already been billed to health plans.

Finally, Walgreens stated that it will continue to evaluate its safeguards. The company contacted local law enforcement when appropriate.