Walgreen Company has been hit with a proposed class action lawsuit in the wake of a September 2019 data breach that reportedly exposed the personal and health-related information of potentially thousands of online customers.
According to the case, Walgreens on September 26, 2019 noticed “abnormal activity” on a “limited number” of Walgreens.com customer accounts. Upon investigation, the company discovered that unauthorized third parties had used valid login credentials from other websites to gain access to customers’ personally identifiable information, as well as protected health data, stored on Walgreens’ website, the suit says.
The exposed information allegedly included:
Drug classifications derived from customers’ prescription records (e.g., beta blockers, calcium channel blockers, antihypertensives);
Health-related suggestions referencing certain conditions or topics (e.g., asthma, COPD, migraines, blood pressure maintenance);
Personal demographic information such as names, dates of birth, phone numbers, and email addresses;
Walgreens Balance Rewards ID numbers or card numbers; and
AARP ID numbers.
The case claims that although the defendant had the resources necessary to prevent the breach, the company refused to “adequately invest” in proper data security and ultimately allowed customers’ private personal and health information to fall into “the hands of thieves.”
“Had Defendant remedied the deficiencies in its data security systems and adopted security measures recommended by experts in the field, it would have prevented the intrusions into their systems and, ultimately, the theft of [personally identifiable information and protected health information],” the complaint reads.
The lawsuit goes on to criticize Walgreens’ response to the breach, stressing that although the company had identified affected customers as early as October 5, 2019, it waited until December 3 to send notice of the breach. Moreover, Walgreens has failed to offer affected customers “any compensation or additional protective services” such as credit monitoring or fraud remediation, according to the case. The suit argues that Walgreens’ suggestion that customers change their passwords and “remain vigilant” is “wholly inadequate” considering victims may face “multiple years of ongoing identity theft and fraud” due to the exposure of their private information.
The lawsuit looks to cover anyone whose personally identifiable information and protected health information was compromised in the data breach announced by Walgreens in December 2019.