security vulnerability: pharmacy edition

[cellio]

While waiting to pick up a prescription, I noticed that the person in line ahead of me picked up prescriptions for both himself and his wife. Oh, good idea, I said to myself -- I should authorize Dani to pick up mine, just for flexibility.

When it was my turn I asked how to add my husband as someone who can pick up my prescriptions. Oh, the person manning the desk said cheerily, you don't have to do anything -- he just has to know your birthdate.

Whoa.

When picking up a prescription the only challenge I ever have to answer verbally (besides my name) is my birthdate. I do not, for example, have to say what medicine I'm here to pick up, or even how many prescriptions. The usual interaction is:

Me: (name)
Them: two prescriptions?
Me: Yup.
Them: birthdate?
Me: (answer)
Them: Any questions?
Me: Nope.
Them: Loyalty card? (swipe) Sign here. That'll be $X.

I don't have to show ID, but I assumed they were reading that out of my loyalty card. But no, anybody who knows an easily-compromised piece of information (how many data breaches have included this by now??), shows up in person, and has reason to believe that I have some prescription waiting can (a) collect it (denying it to me) and (b) find out what I'm taking. Hell, if the attempt comes up empty -- no prescriptions currently waiting -- the person can probably say "oh, I was expecting my doctor to have called in, um, I can't remember the name now" and be prompted for options.

Granted, this is a physical attack so it can't be done by just anybody on the Internet. But it's still a security vulnerability, especially when targeting older customers (good odds of being on something) or people known to need expensive medicines (either because of street value or to troll the victim). We worry about other physical attack vectors, like credit-card skimming.

I asked if I could attach a password to my record for pickups, but their software doesn't support that. I didn't ask if I could change my birthdate of record, because if I do that I'm just asking to have to prove it at some point in the future. (My bank, in contrast, has never asked me to prove that my mother's maiden name contains numbers and punctuation and, well, not a recognizable name.)

Is this the norm for pharmacies, or might looking for a different one be productive?

Comments

[conuly]

As near as I can tell it's the norm for pharmacies. Lots of people - including lots of older people and, of course, children - habitually send others to pick up their prescriptions or do it when they're very sick.

[goljerp]

Is your mother's maiden name

Smith'); DROP Table users; --

also? (Obligitory xkcd reference: https://xkcd.com/327/ )

[cellio]

No, because I would be very sad if my bank experienced some difficulty with my account. :-)

[thnidu]

Oh, THAT one! 😈

[alienor]

After a recent surgery my mom was able to pick up an opiate painkiller from the hospital pharmacy for me (she was my driver). They told her to take *MY* ID (she held all of my belongings) but not her own (I did authorize the hospital to talk to her about my condition, but apparently that was not necessary for her to pick up a controlled substance on my behalf).

When I was married, my then husband was able to pick up a controlled substance on my behalf. I did not give any formal permission, but he had to show HIS id (matching super common last name but not address, because when you move our state just gives you a piece of paper with the new address). I don't know if they recorded his id; they didn't record mine when I picked it up.

[minoanmiss]

This has been the norm at all pharmacies I've ever frequented. It *is* a tradeoff between convenience and security, yeah, and I feel guilty for encouraging it every time I have my roommate get my meds for me.

[cellio]

I don't have a problem with people picking up prescriptions for other people. I *want* that to be possible. I just expected it to require some sort of confirmation from the patient that it's ok.

[jducoeur]

It's one of many processes that were built (and regulated) in a very different age, and look kind of weird now. I mean, consider the sheer insanity of the checking system...

[gingicat]

*nodnod* when a friend was very ill and having difficulty paying copays, I picked up a controlled substance for her in MA. They wanted her birthdate, address, and to swipe my ID.

[hudebnik]

shalmestere and I pick up one another's prescriptions all the time, using one another's birthdates as validation on the phone, and not even that in person. However, our pharmacy is a small local business that we've been going to for 25 years, and everybody behind the pharmacy counter knows both of our faces and knows that we're married to one another. And if it's not convenient for us to stop by the pharmacy, they'll leave the stuff in our home mailbox.

As shalmestere wrote to a friend shortly after moving here, "I never knew what it was like to live in a small town until I moved to New York City."

[cellio]

Yeah, if everyone involved knows each other, I'd expect that to be different. Local pharmacies are getting harder and harder to find, alas.

[julian]

Yah. Birthdate. CVS and Walgreens don't ask for address.

If it's a controlled substance, they are very good, almost universally, at requiring ID. (Your ID, however.)