CVS Settles Data Breach Cases, Pays $2.25 MM Fine

CVS Caremark has agreed to settle Federal Trade Commission charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, in violation of federal law, according to the Federal Trade Commission.

Separately, the company’s pharmacy chain also has agreed to pay $2.25 million to resolve Department of Health and Human Services allegations that it violated the Health Insurance Portability and Accountability Act (HIPAA), according to the FTC.

CVS operates the largest pharmacy chain in the U.S, with more than 6,300 retail outlets and online and mail order operations, said the FTC.

The FTC order requires CVS to establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from consumers and employees, according to the FTC.

The order also requires the company to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order, according to the Commission.

The HHS settlement requires CVS to establish and implement policies and procedures for disposing of protected health information, implement a training program for handling and disposing of such patient information, conduct internal monitoring, and engage an outside independent assessor to evaluate compliance for three years, according to the FTC.

The Commission said it opened this investigation following media reports from around the country that its pharmacies were throwing trash into open dumpsters that contained pill bottles with patient names, addresses, prescribing physicians’ names, medication and dosages; medication instruction sheets with personal information; computer order information from the pharmacies.

That information also social security numbers; payroll information and credit card and insurance card information, account numbers and drivers license numbers, according to the FTC.

At the same time, HHS opened its investigation into the pharmacies’ disposal of health information protected by HIPAA, according to the FTC.

The FTC’s complaint charged that CVS failed to implement reasonable and appropriate procedures for handling personal information about customers and employees, in violation of federal laws.

In particular, CVS did not implement reasonable policies and procedures to dispose securely of personal information, did not adequately train employees, did not use reasonable measures to assess compliance with its policies and procedures for disposing of personal information and did not employ a reasonable process for discovering and remedying risks to personal information, according to the Commission.

CVS allegedly made claims such as “CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information.” The FTC alleged that the claim was deceptive and that CVS’s security practices also were unfair and violate the FTC Act, continued the Commission.