DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

CVS Caremark Settles FTC Charges; CVS Pharmacy Also Pays $2.25 Million to Settle Allegations of HIPAA Violations

Posted on February 18, 2009 by Dissent

FTC Press Release:

CVS Caremark has agreed to settle Federal Trade Commission charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, in violation of federal law. In a separate but related agreement, the company’s pharmacy chain also has agreed to pay $2.25 million to resolve Department of Health and Human Services allegations that it violated the Health Insurance Portability and Accountability Act (HIPAA).

“This is a case that will restore appropriate privacy protections to tens of millions of people across the country,” said William E. Kovacic, Chairman of the Federal Trade Commission. “It also sends a strong message to other organizations that possess consumers’ protected personal information. They are required to secure consumers’ private information.”

CVS Caremark operates the largest pharmacy chain in the United States, with more than 6,300 retail outlets and online and mail-order pharmacy businesses.

The FTC opened its investigation into CVS Caremark following media reports from around the country that its pharmacies were throwing trash into open dumpsters that contained pill bottles with patient names, addresses, prescribing physicians’ names, medication and dosages; medication instruction sheets with personal information; computer order information from the pharmacies, including consumers’ personal information; employment applications, including social security numbers; payroll information; and credit card and insurance card information, including, in some cases, account numbers and driver’s license numbers. At the same time, HHS opened its investigation into the pharmacies’ disposal of health information protected by HIPAA. The FTC and HHS coordinated their investigations and settlements.

The FTC’s complaint charges that CVS Caremark failed to implement reasonable and appropriate procedures for handling personal information about customers and employees, in violation of federal laws. In particular, according to the complaint, CVS Caremark did not implement reasonable policies and procedures to dispose securely of personal information, did not adequately train employees, did not use reasonable measures to assess compliance with its policies and procedures for disposing of personal information, and did not employ a reasonable process for discovering and remedying risks to personal information.

CVS Caremark made claims such as “CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information.” The FTC alleged that the claim was deceptive and that CVS Caremark’s security practices also were unfair. Unfair and deceptive practices violate the FTC Act.

The FTC order requires CVS Caremark to establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from consumers and employees. It also requires the company to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. CVS Caremark will be subject to standard record-keeping and reporting provisions to allow the FTC to monitor compliance. Finally, the settlement bars future misrepresentations of the company’s security practices.

The HHS settlement requires CVS pharmacies to establish and implement policies and procedures for disposing of protected health information, implement a training program for handling and disposing of such patient information, conduct internal monitoring, and engage an outside independent assessor to evaluate compliance for three years. CVS also will pay HHS $2.25 million to settle the matter http://www.hhs.gov/news/press/2009pres/02/20090218a.html.

The Commission vote to accept the proposed consent agreement was 4-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through March 20, 2009, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-135, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

Copies of the complaint, proposed consent agreement, and an analysis of the agreement to aid in public comment are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580

Agreement containing Consent Order

More documents

Category: ExposureHealth DataPaperU.S.

Post navigation

← GSA responds to GovTrip breach (follow up)
CVS Settles with FTC on privacy charges; CVS Pharmacy pays $2.5 million to settle HIPAA allegations →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.