Far be it for me to dispute the knowledge of a random throwaway, but I'd be surprised if there Amazon didn't have access controls to prevent looking up customer prescription history.
I know the hoops I have to go through just to access customer resource metadata in AWS Support. There are multiple, auditable checks that force you to provide access justification to resources -- and the process is routinely modified to make it more onerous and restrictive.
If we have dual control mechanisms to access routine information about a customer's VPC, I'd be shocked if Amazon didn't have auditable controls on Amazon Pharmacy.
Nope. Any PillPack developer can look up any customer in seconds. Other employees have more limited access, but generally quite a bit of access. Access is logged in production, but developers can also get a clone of the entire production database pretty easily.
That's not necessarily a problem or a HIPAA violation, depending on how it's used, although the opportunity for abuse exists. They cover their ass with annual HIPAA training.
I know the hoops I have to go through just to access customer resource metadata in AWS Support. There are multiple, auditable checks that force you to provide access justification to resources -- and the process is routinely modified to make it more onerous and restrictive.
If we have dual control mechanisms to access routine information about a customer's VPC, I'd be shocked if Amazon didn't have auditable controls on Amazon Pharmacy.