I went to Walgreens.com last night to get a refill on my son's prescription. I didn't have an account and created one. I used the username pamt (surprise!) and was told that it was already in use. No biggie--I can see where that might be duplicated. Then I used the username which I sometimes use--it's a family nickname and pretty uncommon I would think. I was told that this username was already in use, but then it asked for a password and I used the one I always use--a combination of letters and numbers that I can't imagine anyone else using. It created an acct for me and I proceeded to enter my address and phone number for delivery and confirmation. After I hit submit I realized that the site said I was logged on as someone else and with another email address. Yikes!!

I called Walgreens internet people this morning and that said that I had indeed tapped into someone else's account and changed the address and phone information. I suggested that they had a major glitch in their system that they needed to check. The woman on the phone kept telling me that I "just so happened" to guess someone else's username and password. I'm sorry, but the statistical chances of me picking someone else's very odd and personal username AND password are slim to none. I can't buy that I happened to get them right. I think there's glitch in the system. Who should I contact? Where do I go from here? To think that this other woman could have my personal identifying info (fortunately I hadn't enter CC info yet) and I could have viewed her medical and prescription history if just scary.

By Karen~admin on Friday, July 28, 2006 - 11:29 am:

Wow, I would compose a letter and send it to all upper management and IT personnel at Walgreens corporate and local. That is dangerous, not to mention an invasion of privacy. I agree with you, the odds of you just happening to pick the same username/password are highly unlikely. I never refill Rx's online, and that's one of the reasons.

By Colette on Friday, July 28, 2006 - 11:40 am:

Send it to the director of IT corporate.

By Conni on Friday, July 28, 2006 - 12:27 pm:

That is scary!!!! Ditto getting in contact with their corporate office. Yikes. I agree no way you could have figured out what their name/password were.

By Ginny~moderator on Friday, July 28, 2006 - 05:40 pm:

Ditto on getting in touch with their corporate office. Most sites that require registration require a combination of username + passworld +email address. While it is possible (not likely, but possible) that you could have the same username and password, if they added in the email address as an identifier, that wouldn't have happened.

Yes, this is scary. Further, it is probably a violation of HIPAA (Health Insurance Portability and Accountability Act)(patient records and privacy laws - federal).

By Dawnk777 on Friday, July 28, 2006 - 07:25 pm:

Talk to corporate. The person at the Walgreen's doesn't sound like she knew too much about internet security.

By Emily7 on Friday, July 28, 2006 - 08:18 pm:

I also would talk to the corporate office, that is really scary!