DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Rite Aid Settles FTC Charges That It Failed to Protect Medical and Financial Privacy of Customers and Employees

Posted on July 27, 2010 by Dissent

The following is the FTC’s press release. In the next post, I’ll publish HHS’s press release on their settlement with Rite Aid.

Rite Aid Corporation has agreed to settle Federal Trade Commission charges that it failed to protect the sensitive financial and medical information of its customers and employees, in violation of federal law. In a separate but related action, the company’s pharmacy chain also has agreed to pay $1 million to resolve Department of Health and Human Services allegations that it failed to protect customers’ sensitive health information.

“Companies that say they will protect personal information shouldn’t be tossing patient prescriptions and employment applications in an open dumpster,” said Jon Leibowitz, Chairman of the Federal Trade Commission. “We hope other organizations will learn from the FTC’s action against Rite Aid to take their obligation to protect consumers’ personal information
seriously.”

Rite Aid operates the third largest pharmacy chain in the United States, with about 4,900 retail pharmacies and an online pharmacy business.

The FTC began its investigation following news reports about Rite Aid pharmacies using open dumpsters to discard trash that contained consumers’ personal information such as pharmacy labels and job applications. At the same time, HHS began investigating the pharmacies’ disposal of health information protected by the Health Insurance Portability and Accountability Act (HIPAA). This is the second case in which the FTC and HHS coordinated their investigations and settlements. The agencies resolved similar allegations with CVS Caremark in February 2009.

According to the FTC’s complaint, Rite Aid failed to use appropriate procedures in the following areas:

* disposing of personal information,
* adequately training employees,
* assessing compliance with its disposal policies and procedures, and
* employing a reasonable process for discovering and remedying risks to personal information.

Rite Aid made claims such as, “Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously. . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy.” The FTC alleged that the claim was deceptive and that Rite Aid’s security practices were unfair.

The FTC settlement order requires Rite Aid to establish a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from consumers and employees. It also requires the company to obtain,every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. In addition, the order bars future misrepresentations of the company’s security practices.

The HHS settlement requires Rite Aid pharmacies to establish policies and procedures for disposing of protected health information, create a training program for handling and disposing of patient information, conduct internal monitoring, and get an independent assessment of its compliance for three years. Rite Aid also will pay HHS $1 million to settle the matter. (http://www.hhs.gov/ocr/privacy/)

The FTC vote to approve the complaint and proposed consent agreement was 5-0. The agreement will be subject to public comment for 30 days, until August 27, 2010, after which the Commission will decide whether to make it final. Comments should be sent to: FTC, Office of the Secretary, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. To submit a comment electronically, please click on: https://ftcpublic.commentworks.com/ftc/riteaid/.

Copies of the complaint, proposed consent agreement, and an analysis of the agreement to aid in public comment are available from the FTC’s Web site at http://www.ftc.gov and its Consumer Response Center, Room 130, 600 Pennsylvania Avenue, NW, Washington, D.C. 20580.

Source: Federal Trade Commission

Related posts:

  • Rite Aid mobile app left customer prescription history vulnerable – customer
  • Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case
  • Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case
  • FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers
Category: Breach IncidentsExposureHealth DataOf NotePaperU.S.

Post navigation

← Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case
Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mississippi Law Firm Sues Cyber Insurer Over Coverage for Scam
  • Ukrainian Hackers Wipe 47TB of Data from Top Russian Military Drone Supplier
  • Computer Whiz Gets Suspended Sentence over 2019 Revenue Agency Data Breach
  • Ministry of Defence data breach timeline
  • Hackers Can Remotely Trigger the Brakes on American Trains and the Problem Has Been Ignored for Years
  • Ransomware in Italy, strike at the Diskstation gang: hacker group leader arrested in Milan
  • A year after cyber attack, Columbus could invest $23M in cybersecurity upgrades
  • Gravity Forms Breach Hits 1M WordPress Sites
  • Stormous claims to have protected health info on 600,000 patients of North Country Healthcare. The patient data appears fake. (2)
  • Back from the Brink: District Court Clears Air Regarding Individualized Damages Assessment in Data Breach Cases

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The EU’s Plan To Ban Private Messaging Could Have a Global Impact (Plus: What To Do About It)
  • A Balancing Act: Privacy Issues And Responding to A Federal Subpoena Investigating Transgender Care
  • Here’s What a Reproductive Police State Looks Like
  • Meta investors, Zuckerberg to square off at $8 billion trial over alleged privacy violations
  • Australian law is now clearer about clinicians’ discretion to tell our patients’ relatives about their genetic risk
  • The ICO’s AI and biometrics strategy
  • Trump Border Czar Boasts ICE Can ‘Briefly Detain’ People Based On ‘Physical Appearance’

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.