While waiting to pick up a prescription, I noticed that the person in line ahead of me picked up prescriptions for both himself and his wife. Oh, good idea, I said to myself -- I should authorize Dani to pick up mine, just for flexibility.
When it was my turn I asked how to add my husband as someone who can pick up my prescriptions. Oh, the person manning the desk said cheerily, you don't have to do anything -- he just has to know your birthdate.
When picking up a prescription the only challenge I ever have to answer verbally (besides my name) is my birthdate. I do not, for example, have to say what medicine I'm here to pick up, or even how many prescriptions. The usual interaction is:
Clerk: two prescriptions?
Clerk: Any questions?
Clerk: Loyalty card? (swipe) Sign here. That'll be $X.
I don't have to show ID, but I assumed they were reading that out of my loyalty card. But no, anybody who knows an easily-compromised piece of information (how many data breaches have included this by now??), shows up in person, and has reason to believe that I have some prescription waiting can (a) collect it (denying it to me) and (b) find out what I'm taking. Hell, if the attempt comes up empty -- no prescriptions currently waiting -- the person can probably say "oh, I was expecting my doctor to have called in, um, I can't remember the name now" and be prompted for options.
Granted, this is a physical attack so it can't be done by just anybody on the Internet. But it's still a security vulnerability, especially when targeting older customers (good odds of being on something) or people known to need expensive medicines (either because of street value or to troll the victim). We worry about other physical attack vectors, like credit-card skimming.
I asked if I could attach a password to my record for pickups, but their software doesn't support that. I didn't ask if I could change my birthdate of record, because if I do that I'm just asking to have to prove it at some point in the future. (My bank, in contrast, has never asked me to prove that my mother's maiden name contains numbers and punctuation and, well, not a recognizable name.)
Is this the norm for pharmacies, or might looking for a different one be productive?