Walmart, who reported a breach involving pharmacy records in March, has disclosed another breach to HHS. This one, reported June 8, reportedly affected 27,393 patients. Thankfully, it does not seem to have exposed particularly sensitive information.
DataBreaches.net asked Walmart for a statement describing the incident, and received the following statement:
Recently, we learned that the company that processes our patient refund checks experienced a printing error.
This error caused incorrect information to be printed on the letters that accompanied the refund checks sent to customers. As a result, the mailing a customer received may have included another individual’s information, limited to: (1) name, (2) a pharmacy prescription number or an optical order number, (3) the order date, and (4) a refund amount. The city and state of the Walmart or Sam’s Club visited also was included. It should be noted that no Social Security numbers, driver’s license numbers, financial information, insurance information, addresses, telephone numbers, date-of-birth, or prescription names were disclosed and no electronic information of any kind was affected.
These letters are dated May 13, 2016 and were sent on May 15, 2016. We were informed of the printing error on May 20, 2016 and immediately began looking in to the matter with the company that handled these mailings. We are also reviewing policies and procedures with them to prevent this error from occurring again. Although we do not anticipate any harm to patients and have no indication the information was misused, out of an abundance of caution, we have notified any customers who may have been affected.
While we do not take this lightly, it is important to note that the information that was disclosed is highly unlikely to lead to any fraudulent activity by those who received the letter.
The checks customers received are legitimate and correct. It is a refund they are entitled to receive and should feel assured to cash and utilize it. We will be following up with patients who do not cash their checks to help ensure that all refunds are effectively received. If customers would like to contact us to confirm or replace the check, they should call 1-866-788-5580.
We place great value in our customers’ trust and take this matter very seriously. We are fully committed to protecting the privacy and security of our customers’ personal information.
So was the error at the printing company or in the data files provided to the vendor? In such situations either is real possibility, but is very easy to blame an unnamed vendor. The company will not likely let us know, but knowing that the company is truly trying to identify the failure point would be great.
I truly appreciate the information you provide on this site and I reference it (and your site) to folks in the security, audit, and privacy area here. Thank for the time an effort you make on this site.
As you note, it could be either, but this one reads like it was the vendor’s error because they reviewed the vendor’s policies and procedures and not their own. 🙂
And thank you so much for the kind words about this site.