[whoknew1122]

Far be it for me to dispute the knowledge of a random throwaway, but I'd be surprised if there Amazon didn't have access controls to prevent looking up customer prescription history.

I know the hoops I have to go through just to access customer resource metadata in AWS Support. There are multiple, auditable checks that force you to provide access justification to resources -- and the process is routinely modified to make it more onerous and restrictive.

If we have dual control mechanisms to access routine information about a customer's VPC, I'd be shocked if Amazon didn't have auditable controls on Amazon Pharmacy.

[smackjer]

Nope. Any PillPack developer can look up any customer in seconds. Other employees have more limited access, but generally quite a bit of access. Access is logged in production, but developers can also get a clone of the entire production database pretty easily.

That's not necessarily a problem or a HIPAA violation, depending on how it's used, although the opportunity for abuse exists. They cover their ass with annual HIPAA training.