Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacking the US Prescription System

Posted by timothy on from the quite-a-dose-you're-taking dept.

An anonymous reader writes: It appears that most pharmacies in the US are interconnected, and a breach in one leads to access to the other ones. A security advisory released [Friday] shows how a vulnerability in an online pharmacy granted access to prescription history for any US person with just their name and date of birth. From the description linked above: During the signup process, PillPack.com prompts users for their identifying information. In the end of the signup rocess, the user is shown a list of their existing prescriptions in all other pharmacies in order to make the process of transferring them to PillPack.com easier. ... To replicate this issue, an attacker would be directed to the PillPack.com website and choose the signup option. As long as the full name and the date of birth entered during signup match the target, the attacker will gain access to the target's full prescription history.

19 of 78 comments (clear)

  1. Assumptions by dcollins117 · · Score: 4, Informative

    From TFA, regarding a persons prescription history, it says

    It is assumed that this information comes from the various backend systems that interlink the pharmacies as described above.

    I doubt it. I think it is far more likely that the pharmacy sells this information to insurance, pharmaceutical, and marketing companies. Big data is big business these days. So long patient confidentiality.

    That being said, it is unconscionable how lax PillPack.com security procedures were.

    1. Re:Assumptions by OverlordQ · · Score: 4, Interesting

      > I think it is far more likely that the pharmacy sells this information to insurance, pharmaceutical, and marketing companies.

      This. Pretty much every prescription the doctor writes effectively goes straight to the drug reps. If you stop prescribing, they'll know, and come in and bribe^H^H^H^Hinquire as to why you stopped prescribing their drug.

      --
      Your hair look like poop, Bob! - Wanker.
    2. Re:Assumptions by raburton · · Score: 4, Informative

      Very pleased we have a different system in the UK. Drug reps aren't even supposed to give us pens anymore. That said I've had plenty of free lunches from drug reps along with a presentation about their latest drug, but I'm not talking about fancy dinners just a light picnic type spread from the nearest supermarket. There isn't much point them doing it anyway, as a general rule we are only supposed to prescribe things that are approved by NICE (after proper cost/benefit analysis) and/or in our local formulary. If you are prescribing outside that they'll be coming to you for an explanation, not the drug companies. Drug companies are also not allowed to advertise prescription only drugs direct to the public, which I think is probably the most important difference.

    3. Re:Assumptions by mrbester · · Score: 2

      That, plus we have data protection laws that prevent patients from being identified by the companies that make the prescription drugs. For sure there are reports that state how many use drug X, but that's aggregated data.

      --
      "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
    4. Re:Assumptions by Anonymous Coward · · Score: 2, Informative

      They don't sell this information. Instead, the states have set up prescription monitoring programs (PMP) to prevent drug abuse through doctor shopping. Pharmacies are required submit information about the filled prescription for Schedule II, III, or IV drugs. Some states also allow the pharmacist to consult the PMP for recent prescription history to prevent filling duplicate orders. Hospitals and doctors that directly administer these controlled drugs are normally exempt from reporting to the PMP. The data in PMP registries is used by licensing boards and law enforcement to detect suspicious activity.

    5. Re:Assumptions by CrimsonAvenger · · Score: 2

      I think it is far more likely that the pharmacy sells this information to insurance

      So, the pharmacies are selling information on your prescription drugs to...your insurance company?

      You remember your insurance company - they're the ones who are paying for your prescription drugs. If the pharmacies are selling your drug information to your insurance companies, the pharmacies have one of the greatest rackets in history - they're managing to sell information that is REQUIRED FOR BILLING to the people paying the bills.

      Now that's audacity!

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    6. Re:Assumptions by DingerX · · Score: 2

      What do they have to sell here? All you need is a legitimate business case to be on the network, and you have access. That's the point here: PillPack immediately changed their procedures, but if they were able to call up a full prescrption record using only name and DOB, any number of other businesses with a medical component can too. All you need is to associate names and DOBs (Facebook anyone?), call up the prescription records, look for something chronic, desperate and lucrative, and fire off an automated, personalized email. Profit!

    7. Re:Assumptions by Alan+Shutko · · Score: 2

      I doubt it. I think it is far more likely that the pharmacy sells this information to insurance, pharmaceutical, and marketing companies. Big data is big business these days. So long patient confidentiality.

      Definitely not. Pharmacies and PBMs are prohibited from selling patient health information. PBMs sell aggregated information to pharma companies, so they can understand the drug trends in an area. They sell doctor-identified data as well. This is a pretty good summary of the data that PBMs and pharmacies can and cannot sell

      I suspect that this was information retrieved by the ePrescribe network. The NCPDP SCRIPT standard defines a transaction to retrieve a prescription history. The standard is not publicly available so we can't see what data elements are required to request a medication history, but I'm guessing that this is how PillPack retrieved the info.

    8. Re:Assumptions by Alan+Shutko · · Score: 3, Informative

      The US has protection that prevents patients from being identified by the companies that make the drugs. There is no federal law preventing DOCTORS from being identified as prescribing a drug. Maine, New Hampshire, and Vermont have laws to further limit this practice.

    9. Re:Assumptions by dcollins117 · · Score: 3, Interesting

      I'll allow that I may be wrong. I don't know; it's never happened before so I don't know what it feels like :P

      I note in the excellent link you provided under the section of data mining it says

      Data miners buy prescription information from pharmacies and PBMs.

      Apparently, data identifying a specific person is removed "sufficient to remove the data from the protection of the CMIA and HIPAA", and the records are assigned a number.

      Further,

      Prescription data miners have the ability to re-identify individual data based on the number assigned to it, and they operate separately from the entities - health care providers, health plans, health care clearinghouses, and their contractors or business associates - that do have legal obligations.

      I don't think it too far-fetched to think this happening, particularly since I started seeing a lot of targeted ads for asthma medications not long after coming down with respiratory difficulties last year. Somebody's doing something shady, I'll bet.

  2. Re:Not exactly a hack by arth1 · · Score: 5, Informative

    This is just plain irresponsible behaviour by PillPack, nothing to do with hacking.

    No, this is just plain irresponsible behavior by those who share infomation to PillPack and others.

    Recently, I noticed that when I picked up a prescription for a (for me new) medication that's mostly used for one purpose, I suddenly got dozens of spam e-mails wanting to "help" me with a particular diagnosis I don't have. And that's the few that went through the double layer spam filter. It was way too pervasive to be a coincidence.

    It's clear that the US prescription system leaks like a sieve, and that even spammers have access to people's prescription history.
    Can we go back to paper prescriptions that don't enter a database, please?

  3. Re:Not exactly a hack by Anonymous Coward · · Score: 3, Funny

    Dude, I get spam for Viagra every day.

  4. Re:Not exactly a hack by CrimsonAvenger · · Score: 2

    Recently, I noticed that when I picked up a prescription for a (for me new) medication that's mostly used for one purpose, I suddenly got dozens of spam e-mails wanting to "help" me with a particular diagnosis I don't have. And that's the few that went through the double layer spam filter. It was way too pervasive to be a coincidence.

    I've been taking moderately special purpose meds off and on for years (the sorts of things you take when you have a bone marrow transplant).

    I have NEVER gotten any spam emails as a result (unless you count that "you really need to refill your prescription since you're about to run out of pills, you dolt!" sort that I get as a reminder from the drugstore)....

    --

    "I do not agree with what you say, but I will defend to the death your right to say it"
  5. Re:Not exactly a hack by CrimsonAvenger · · Score: 4, Interesting

    They know about your medication (see above).
    What they may lack is the matching email address to your name?

    They know about my meds because I pretty much have to tell someone to get the prescription filled.

    They know my email address since the same people I go to to get the prescription filled have my email address so they can send me reminders that my refills are due.

    So, the pharmacy has my prescription history going way back (what, you think I change pharmacies every time I get a new prescription) and my email address. And I still have never gotten any spam advertising drugs.

    Note that drug advertising to me wouldn't actually do any good, since I'm not an MD, and am incapable of prescribing drugs to myself (or anyone else). That sort of thing is best aimed at doctors and hypochondriacs (the kind who will nag their doctors about the new drugs they see on TV that sound like they'd be PERFECT for their problems)....

    --

    "I do not agree with what you say, but I will defend to the death your right to say it"
  6. Re:Not exactly a hack by SuseLover · · Score: 3

    For that matter can we please go back to paper medical records too? How long will it be before all our medical histories become public knowledge?

    While in theory, EMR's can do a lot of good by providing any doctor instant critical info but in the current big-data low security environment, no.

  7. HIPPA by Registered+Coward+v2 · · Score: 5, Informative

    would seem that this would be a violation of HIPPA security rules, assume pharmacies are covered entities, which I think they are. Specifically, covered entities must maintain adequate:

    Administrative Safeguards

    Security Management Process. As explained in the previous section, a covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.

    Technical Safeguards

    Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).

    It would seem simply allowing access via a name and birthdate is a violation of the above requirements.

    Source: http://www.hhs.gov/ocr/privacy...

    --
    I'm a consultant - I convert gibberish into cash-flow.
    1. Re:HIPPA by Registered+Coward+v2 · · Score: 2

      To me the issue is not that they have such a policy but they fail to properly protect the data; which may be a HIPPA violation.

      --
      I'm a consultant - I convert gibberish into cash-flow.
  8. Copays? How about cash price? by thogard · · Score: 2

    When you try to get a prescription filled in a pharmacy they take your ID and insurance card and send that off to your insurance company. If you have a prescription for something simple and cheap like penicillin that cost say $3 the conversation looks something like this:
    Pharmacy (to insurance co): Joe Sucker gave me a $25 co pay card for penicillin.
    InsCo: Tell him that it is $30 and you now owe us $22.
    Pharmacy to Joe: You owe us $25.

    If Joe had asked cash price, the conversation would have been:
    Pharmacy (to Joe): That will be $3.
    Joe: But I have a $25 co pay
    Pharmacy: Do you want to pay $3 or $25?

  9. Re:Not exactly a hack by ColdWetDog · · Score: 3, Interesting

    Your pharmacist has sold your prescription data to some shady third party for advertising purposes. Somehow they managed to loophole that out of HIPAA - it's a 'service' for your own good - or something along those hallucinatory lines.

    Supposedly you can opt out but you first have to know if you got opted in.

    I'm actually surprised that this hasn't generated much flack, but there are so many things to get angsted at I think that most people are just overwhelmed. Personally, I ran out of extra angst a long time ago.

    --
    Faster! Faster! Faster would be better!