Drugstore chain CVS has agreed to settlements with the Federal Trade Commission and the US Department of Health and Human Services over complaints about its stores violating patient privacy rights. The FTC had charged CVS with violating federal laws by failing “to implement reasonable and appropriate procedures for handling personal information about customers and employees,” and by making unfair and deceptive claims concerning CVS’s security practices. The FTC says:
The FTC opened its investigation into CVS Caremark following media reports from around the country that its pharmacies were throwing trash into open dumpsters that contained pill bottles with patient names, addresses, prescribing physicians’ names, medication and dosages; medication instruction sheets with personal information; computer order information from the pharmacies, including consumers’ personal information; employment applications, including social security numbers; payroll information; and credit card and insurance card information, including, in some cases, account numbers and driver’s license numbers. […]
The FTC order requires CVS Caremark to establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from consumers and employees. It also requires the company to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. CVS Caremark will be subject to standard record-keeping and reporting provisions to allow the FTC to monitor compliance. Finally, the settlement bars future misrepresentations of the company’s security practices.
HHS also investigated CVS’s insecure disposal of patient prescription data as violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. HHS announced a settlement where CVS “will pay the U.S. government a $2.25 million settlement and take corrective action to ensure it does not violate the privacy of its millions of patients when disposing of patient information such as identifying information on pill bottle labels.” Corrective action includes creating and following “Privacy Rule compliant policies and procedures for safeguarding patient information during disposal, employee training and employee sanctions for noncompliance.”
Full settlement agreement between FTC and CVS.
Full settlement agreement between HHS and CVS.