security vulnerability: pharmacy edition

Fri, 03 May 2019 22:08:32 GMT

While waiting to pick up a prescription, I noticed that the person in line ahead of me picked up prescriptions for both himself and his wife. Oh, good idea, I said to myself -- I should authorize Dani to pick up mine, just for flexibility.

When it was my turn I asked how to add my husband as someone who can pick up my prescriptions. Oh, the person manning the desk said cheerily, you don't have to do anything -- he just has to know your birthdate.

Whoa.

When picking up a prescription the only challenge I ever have to answer verbally (besides my name) is my birthdate. I do not, for example, have to say what medicine I'm here to pick up, or even how many prescriptions. The usual interaction is:

Me: (name)
Them: two prescriptions?
Me: Yup.
Them: birthdate?
Me: (answer)
Them: Any questions?
Me: Nope.
Them: Loyalty card? (swipe) Sign here. That'll be $X.

I don't have to show ID, but I assumed they were reading that out of my loyalty card. But no, anybody who knows an easily-compromised piece of information (how many data breaches have included this by now??), shows up in person, and has reason to believe that I have some prescription waiting can (a) collect it (denying it to me) and (b) find out what I'm taking. Hell, if the attempt comes up empty -- no prescriptions currently waiting -- the person can probably say "oh, I was expecting my doctor to have called in, um, I can't remember the name now" and be prompted for options.

Granted, this is a physical attack so it can't be done by just anybody on the Internet. But it's still a security vulnerability, especially when targeting older customers (good odds of being on something) or people known to need expensive medicines (either because of street value or to troll the victim). We worry about other physical attack vectors, like credit-card skimming.

I asked if I could attach a password to my record for pickups, but their software doesn't support that. I didn't ask if I could change my birthdate of record, because if I do that I'm just asking to have to prove it at some point in the future. (My bank, in contrast, has never asked me to prove that my mother's maiden name contains numbers and punctuation and, well, not a recognizable name.)

Is this the norm for pharmacies, or might looking for a different one be productive?

comments

Ow!

Tue, 31 Oct 2017 21:45:10 GMT

My employer, like many other large ones in the US, assesses a higher fee for health insurance if we don't cough up certain statistics for them. I don't know how much of this is snooping and how much is forcing us to at least get certain tests annually. Distasteful as the former is, we established several years ago that I can be bought on this if the price difference is high enough.

Many locations have on-site "clinics" where you can show up, let them prick your finger, fill out paperwork, and be done. My location is too small for that, though, so we have three choices: go to your doctor, go to a lab where they'll do it, or order a do-it-yourself kit. I didn't want to pay for an office visit just for this and the lab sounded like a hassle, so I ordered the kit. I mean, it's just a pin-prick, right? Even with my needle-aversion I can handle that. I did this through my doctor last year and through an on-site clinic at my previous employer, so I figured this'd be ok.

I will never, ever do that again. Their damned lancet hurt, and I had to do it twice to get enough blood (answering the question of why they sent two while providing instructions using one, I guess). It left bruises on my finger. Hours later it still hurts if I'm not careful when typing with that finger. And the puncture marks are bigger than I expected. This...did not happen with my past experiences.

Nope, not doing that again. Grr. What they learn about my blood sugar better be worth it.

comments

Monica

security vulnerability: pharmacy edition

Ow!