CVS spanked over customer privacy failures, pays $2.25M to settle HIPAA violations

The largest pharmacy chain in the US, CVS Caremark, today settled Federal Trade Commission charges it failed "to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees," in violation of federal law. In a separate but related agreement, the company's pharmacy chain also has agreed to pay $2.25 million to resolve Department of Health and Human Services allegations that it violated the Health Insurance Portability and Accountability Act (HIPAA).

According to the FTC, the settlement requires CVS, which more than 6,300 retail outlets and online and mail-order pharmacy businesses, to establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from consumers and employees. It also requires the company to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order.

The HIPPA settlement requires CVS pharmacies to set policies and procedures for disposing of protected health information, implement a training program for handling and disposing of such patient information, conduct internal monitoring, and engage an outside independent assessor to evaluate compliance for three years. CVS also will pay HHS $2.25 million to settle the matter.

The FTC opened an investigation into CVS after numerous reports from around the country said CVS pharmacies were throwing trash into open dumpsters that contained pill bottles with patient names, addresses, prescribing physicians' names, medication and dosages; medication instruction sheets with personal information; computer order information from the pharmacies, including consumers' personal information; employment applications, including social security numbers; payroll information; and credit card and insurance card information, including, in some cases, account numbers and driver's license numbers. At the same time, HHS opened its investigation into the pharmacies' disposal of health information protected by HIPAA, the FTC  said.

The FTC said that CVS engaged in a number of practices that, taken together, failed to protect sensitive consumer and customer information.  In particular, CVS failed to: (1) implement policies and procedures to dispose securely of such information, including, but not limited to, policies and procedures to render the information unreadable in the course of disposal; (2) adequately train employees to dispose securely of such information; (3) use reasonable measures to assess compliance with its established policies and procedures for the disposal of such information; or (4) employ a reasonable process for discovering and remedying risks to such information.

Layer 8 in a box

Check out these other hot stories:

Software counterfeiter gets 41 months in prison, loses Ferrari

Space flight fare wars blast off

Researchers tout data buffering, quantum computing style

Last call: Anheuser-Busch IT guy tossed into prison for computer theft

The rocket's red glare: In your backyard?

Prepaid calling card fraudsters must pay $2.25M for cheating on talk time minutes

FAA network hacked

Satellites collide, create major flying junk pile

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

IT Salary Survey: The results are in