Overview

PillPack.com, an online pharmacy, used insufficient identity
validation resulting in exposure of private prescription information
from other pharmacies.

Description

PillPack.com is an online mail order pharmacy available for persons
residing in the United States. During the signup process for new users
on their site, PillPack.com retrieves the user’s full prescription
history from their existing pharmacies including medication name,
dosage and the name of the pharmacy where the prescription is located
at. It is assumed that this information comes from the various backend
systems that interlink the pharmacies as described above.

During the signup process, PillPack.com prompts users for their
identifying information. In the end of the signup rocess, the user is
shown a list of their existing prescriptions in all other pharmacies
in order to make the process of transferring them to PillPack.com easier.
Testing has shown that the prescription history is looked up by full
name and birthdate alone, with the other information provided
not used for validation of user’s identity.

To replicate this issue, an attacker would be directed to the
PillPack.com website and choose the signup option. As long as the full
name and the date of birth entered during signup match the target, the
attacker will gain access to the target’s full prescription history.

This issue does not appear to be limited to national chains of
pharmacies but also includes smaller independent ones. It also does
not appear to be limited to a patients residing in a single state. It
is not limited to people already signed up at PillPack.com, and
includes up to date prescription data even for existing users of
PillPack.com.

Impact

Anyone can use the signup system to view prescription history for any
person from other pharmacies as long as they have their full name and
a birth date.

Solution

The vendor has fixed their web application by adding additional
validation for user identity. The underlying backend systems that
provide the prescription data are assumed to remain unchanged.

Further Discussion

While the vulnerability in this disclosure only affects one pharmacy,
it is a sign of a large misalignment in security design of existing
health care systems. The underlying networks interlinking the
pharmacies are assumed to be accessible by licensed pharmacists only,
operating under strict state and federal laws, and have not been
designed with Internet connectivity in mind.

The vulnerability in this disclosure points to the fact that a breach
in an Internet-connected system linked to a health care company has
potential to allow the attacker access to other health care providers
via backend networks used to exchange health information. That also
means that a breach in any pharmacy can potentially expose
prescription data of people from other pharmacies as well. Social
engineering can serve as another attack vector for these types of
attacks.

It is hoped that further research into security of large private
networks carrying health care data will be pursued in the future.

CVSS Metrics

Base: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
Temporal: 4.1 E:F/RL:OF/RC:C
Environmental: 1.3 CDP:N/TD:L/CR:H/IR:ND/AR:ND

References

CERT VU # 516652

Credit

Discovered by Yakov Shafranovich in collaboration with the Shaftek Enterprises Security Research team. We would like to thank CERT/CC for helping to coordinate the disclosure process, and Vesaria / Grier Forensics for advice. The vendor is thanked for the quick response and fix for this issue.

Timeline

2015–04–28: Notification to CERT
2015–04–28: Vendor notified
2015–04–28: Vendor response received
2015–04–29: Vendor fix
2015–05–01: Public disclosure