CVS Caremark has agreed to settle Federal Trade Commission charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, in violation of federal law. In a separate but related agreement, the company’s pharmacy chain also has agreed to pay $2.25 million to resolve Department of Health and Human Services allegations that it violated the Health Insurance Portability and Accountability Act (HIPAA).
“This is a case that will restore appropriate privacy protections to tens of millions of people across the country,” said William E. Kovacic, Chairman of the Federal Trade Commission. “It also sends a strong message to other organizations that possess consumers’ protected personal information. They are required to secure consumers’ private information.”
CVS Caremark operates the largest pharmacy chain in the United States, with more than 6,300 retail outlets and online and mail-order pharmacy businesses.
The FTC opened its investigation into CVS Caremark following media reports from around the country that its pharmacies were throwing trash into open dumpsters that contained pill bottles with patient names, addresses, prescribing physicians’ names, medication and dosages; medication instruction sheets with personal information; computer order information from the pharmacies, including consumers’ personal information; employment applications, including social security numbers; payroll information; and credit card and insurance card information, including, in some cases, account numbers and driver’s license numbers. At the same time, HHS opened its investigation into the pharmacies’ disposal of health information protected by HIPAA. The FTC and HHS coordinated their investigations and settlements.
The FTC’s complaint charges that CVS Caremark failed to implement reasonable and appropriate procedures for handling personal information about customers and employees, in violation of federal laws. In particular, according to the complaint, CVS Caremark did not implement reasonable policies and procedures to dispose securely of personal information, did not adequately train employees, did not use reasonable measures to assess compliance with its policies and procedures for disposing of personal information, and did not employ a reasonable process for discovering and remedying risks to personal information.
CVS Caremark made claims such as “CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information.” The FTC alleged that the claim was deceptive and that CVS Caremark’s security practices also were unfair. Unfair and deceptive practices violate the FTC Act.
The FTC order requires CVS Caremark to establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from consumers and employees. It also requires the company to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. CVS Caremark will be subject to standard record-keeping and reporting provisions to allow the FTC to monitor compliance. Finally, the settlement bars future misrepresentations of the company’s security practices.
The HHS settlement requires CVS pharmacies to establish and implement policies and procedures for disposing of protected health information, implement a training program for handling and disposing of such patient information, conduct internal monitoring, and engage an outside independent assessor to evaluate compliance for three years. CVS also will pay HHS $2.25 million to settle the matter http://www.hhs.gov/news/press/2009pres/02/20090218a.html.
The Commission vote to accept the proposed consent agreement was 4-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through March 20, 2009, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-135, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
Copies of the complaint, proposed consent agreement, and an analysis of the agreement to aid in public comment are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580
