Skip Links

Network World

Michael Cooney

CVS spanked over customer privacy failures, pays $2.25M to settle HIPAA violations

By Layer 8 on Wed, 02/18/09 - 10:55am.

The largest pharmacy chain in the US, CVS Caremark, today settled Federal Trade Commission charges it failed "to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees," in violation of federal law. In a separate but related agreement, the company's pharmacy chain also has agreed to pay $2.25 million to resolve Department of Health and Human Services allegations that it violated the Health Insurance Portability and Accountability Act (HIPAA).

According to the FTC, the settlement requires CVS, which more than 6,300 retail outlets and online and mail-order pharmacy businesses, to establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from consumers and employees. It also requires the company to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order.

The HIPPA settlement requires CVS pharmacies to set policies and procedures for disposing of protected health information, implement a training program for handling and disposing of such patient information, conduct internal monitoring, and engage an outside independent assessor to evaluate compliance for three years. CVS also will pay HHS $2.25 million to settle the matter.

The FTC opened an investigation into CVS after numerous reports from around the country said CVS pharmacies were throwing trash into open dumpsters that contained pill bottles with patient names, addresses, prescribing physicians' names, medication and dosages; medication instruction sheets with personal information; computer order information from the pharmacies, including consumers' personal information; employment applications, including social security numbers; payroll information; and credit card and insurance card information, including, in some cases, account numbers and driver's license numbers. At the same time, HHS opened its investigation into the pharmacies' disposal of health information protected by HIPAA, the FTC  said.

The FTC said that CVS engaged in a number of practices that, taken together, failed to protect sensitive consumer and customer information.  In particular, CVS failed to: (1) implement policies and procedures to dispose securely of such information, including, but not limited to, policies and procedures to render the information unreadable in the course of disposal; (2) adequately train employees to dispose securely of such information; (3) use reasonable measures to assess compliance with its established policies and procedures for the disposal of such information; or (4) employ a reasonable process for discovering and remedying risks to such information.

Layer 8 in a box

Check out these other hot stories:

Software counterfeiter gets 41 months in prison, loses Ferrari

Space flight fare wars blast off

Researchers tout data buffering, quantum computing style

Last call: Anheuser-Busch IT guy tossed into prison for computer theft

The rocket's red glare: In your backyard?

Prepaid calling card fraudsters must pay $2.25M for cheating on talk time minutes

FAA network hacked

Satellites collide, create major flying junk pile

It's about time.

0
By Sevenseat (not verified) on Thu, 02/19/2009 - 10:55am.

When I pick up a prescription for a controlled substance, CVS writes my drivers license number on the signature pad on the pharmacy counter. I have complained, but they don't see it as a problem. It's about time that they are made to protect my information.

Report It

0
By Rob McGregor, CISSP (not verified) on Thu, 02/19/2009 - 12:40pm.

You might try and contact CVS corporate Information Security department and speak with the Information Security Manager who should be able to mitigate and ensure privacy for all customers. Additionally, you might also contact the CVS Privacy Office as well. These teams function to ensure this type of issue is remedied. As a former security consultant, I used to "dumpster dive" and we would find so much information like this.

CVS fine

0
By Anon (not verified) on Thu, 02/19/2009 - 1:19pm.

I would like to suggest that a more appropriate use for the $2.25 million fine exists rather than donating it to HHS. Newer drugs are incredibly expensive for the consumer (those ads on prime time TV are not cheap!!!) The $2.25 million should go into a fund for consumers who have lost their insurance along with their jobs.

CVS Fine

0
By Bill P - Buffalo Ny (not verified) on Wed, 03/25/2009 - 4:59pm.

How is the fine that CVS paid to the FTC shared with the people whose information was exposed?

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You can use BBCode tags in the text.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <p> <strong> <i> <br /> <br> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Welcome, visitor. Register Log in
About Layer 8
Layer 8 is written by Michael Cooney, an online news editor with Network World