The following is the FTC’s press release. In the next post, I’ll publish HHS’s press release on their settlement with Rite Aid.
Rite Aid Corporation has agreed to settle Federal Trade Commission charges that it failed to protect the sensitive financial and medical information of its customers and employees, in violation of federal law. In a separate but related action, the company’s pharmacy chain also has agreed to pay $1 million to resolve Department of Health and Human Services allegations that it failed to protect customers’ sensitive health information.
“Companies that say they will protect personal information shouldn’t be tossing patient prescriptions and employment applications in an open dumpster,” said Jon Leibowitz, Chairman of the Federal Trade Commission. “We hope other organizations will learn from the FTC’s action against Rite Aid to take their obligation to protect consumers’ personal information
seriously.”
Rite Aid operates the third largest pharmacy chain in the United States, with about 4,900 retail pharmacies and an online pharmacy business.
The FTC began its investigation following news reports about Rite Aid pharmacies using open dumpsters to discard trash that contained consumers’ personal information such as pharmacy labels and job applications. At the same time, HHS began investigating the pharmacies’ disposal of health information protected by the Health Insurance Portability and Accountability Act (HIPAA). This is the second case in which the FTC and HHS coordinated their investigations and settlements. The agencies resolved similar allegations with CVS Caremark in February 2009.
According to the FTC’s complaint, Rite Aid failed to use appropriate procedures in the following areas:
* disposing of personal information,
* adequately training employees,
* assessing compliance with its disposal policies and procedures, and
* employing a reasonable process for discovering and remedying risks to personal information.
Rite Aid made claims such as, “Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously. . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy.” The FTC alleged that the claim was deceptive and that Rite Aid’s security practices were unfair.
The FTC settlement order requires Rite Aid to establish a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from consumers and employees. It also requires the company to obtain,every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. In addition, the order bars future misrepresentations of the company’s security practices.
The HHS settlement requires Rite Aid pharmacies to establish policies and procedures for disposing of protected health information, create a training program for handling and disposing of patient information, conduct internal monitoring, and get an independent assessment of its compliance for three years. Rite Aid also will pay HHS $1 million to settle the matter. (http://www.hhs.gov/ocr/privacy/)
The FTC vote to approve the complaint and proposed consent agreement was 5-0. The agreement will be subject to public comment for 30 days, until August 27, 2010, after which the Commission will decide whether to make it final. Comments should be sent to: FTC, Office of the Secretary, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. To submit a comment electronically, please click on: https://ftcpublic.commentworks.com/ftc/riteaid/.
Copies of the complaint, proposed consent agreement, and an analysis of the agreement to aid in public comment are available from the FTC’s Web site at http://www.ftc.gov and its Consumer Response Center, Room 130, 600 Pennsylvania Avenue, NW, Washington, D.C. 20580.
Source: Federal Trade Commission