The chain was CVS Corp., which has more than 5,400 stores in the United States.
The program, called ExtraCare, was created to allow consumers to qualify CVS nonprescription products for government- and insurance company-sanctioned flexible spending account programs.
Those programs allow for consumers to set aside a portion of their salaries—using pre-tax dollars—for medical costs, but they must spend all of the dollars.
Customers were issued an ExtraCare card with a number on it. To access a history of their purchases, theyd access the Web site and have to provide three pieces of information: the 11-digit card number, their ZIP code and the first three letters of their last name. The list would then be e-mailed to the e-mail address provided, which did not have to be the e-mail address on file.
A privacy advocacy group called CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) tested the system and found it easy to fool.
The group even grabbed the recent purchases of a news reporter and had them e-mailed to the groups domain to prove to the reporter how weak the security was, said CASPIAN director Katherine Albrecht.
The flexible spending account products "fall into the most private categories, including family planning and medical testing," Albrecht said.
The three identifiers CVS chose were far too easy to find or guess, she said. The card number is both imprinted on the card—where it can be easily seen by someone else in line—and on every receipt, she said.
A statement from CVS, headquartered in Woonsocket, R.I., said the full card number is not printed on the receipt, but it was unclear whether enough of the number is used to give someone access. CVS did not reply to repeated e-mails and voice-mails messages sent by Ziff Davis Internet over several days seeking clarification.
Albrecht said such cards are often carried where others can see them. "Millions of people have them hanging off their keychains," she said.