CVS Caremark Settles Charges of Dumping Sensitive Financial, Medical Information

This posting was written by Jeffrey May, Editor of CCH Trade Regulation Reporter.

CVS Caremark Corporation has agreed to settle FTC charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees from unauthorized access and that it misrepresented the measures that it took.

In a separate but related agreement, the company’s pharmacy chain agreed to pay $2.25 million to resolve Department of Health and Human Services (HHS) allegations that it violated the Health Insurance Portability and Accountability Act (HIPAA).

CVS Caremark, the largest U.S. pharmacy chain, operates more than 6,300 retail outlets and online and mail-order pharmacies.

According to the FTC's complaint, CVS pharmacies discarded materials containing personal information (such as prescriptions, prescription bottles, credit card receipts, and employee records) in unsecured, publicly-accessible trash dumpsters. Thus, the company's representations in its privacy policy that it took seriously maintaining the privacy of customers’ health information were false or misleading, the agency alleged.

Further, the company allegedly engaged in unfair practices by failing to employ reasonable and appropriate measures to prevent unauthorized access to personal information.

A proposed FTC consent order would require CVS Caremark to maintain a comprehensive information security program designed to protect the personal information it collects from consumers and employees. It also would require the company to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional. Finally, the settlement would bar future misrepresentations of the company’s security practices.

The HHS settlement requires CVS pharmacies to establish and implement procedures for disposing of protected health information, implement a training program for handling and disposing of such patient information, conduct internal monitoring, and engage an outside independent assessor to evaluate compliance. CVS also will pay HHS $2.25 million to settle the matter.

The FTC complaint and proposed consent order, In the Matter of CVS Caremark Corp., appear here on the FTC website. Further details appear at CCH Trade Regulation Reporter ¶16,266.