CVS, Walgreens settle with Indiana AG

Settlements have been reached between the Indiana Attorney General’s office and two pharmacy chains – CVS and Walgreens – to resolve data-breach complaints that customers’ medical information was improperly discarded in trash bins outside pharmacy stores. The agreement comes as the Attorney General begins a new concerted effort geared to address the growing problem of identity theft.

Under the agreements, negotiated by the Attorney General’s office and representatives of the Indiana Board of Pharmacy, both CVS/pharmacy and Walgreen Co. agree to implement extensive employee training, management policies and detailed reporting to provide greater safeguards so that customers’ personal information will not be improperly disclosed.

Filed today, both proposed agreements are scheduled for consideration by the Board of Pharmacy on Monday, July 13, and would take effect upon the board’s order.

“By locking in new records-handling procedures, the agreements create a new level of protection for customers of these pharmacies that their private medical information will remain just that – private and confidential,” Indiana Attorney Greg Zoeller said.

The cases involved 10 CVS pharmacies and six Walgreens pharmacies in Indiana. In 2006, an Indianapolis television station aired news segments about customers’ prescription records being discovered in outdoor trash bins where they could have been found and used to commit identity theft, although no actual consumer is known to have been victimized.

After investigating, the Office of the Indiana Attorney General filed administrative complaints in 2007 with the Board of Pharmacy against the licenses of individual pharmacies and pharmacists involved in the data disclosures at the stores.

Disclosing confidential medical information violates state and federal laws, including the federal Health Insurance Portability and Accountability Act or HIPAA. The federal Office of Civil Rights also investigated the privacy breaches; and eventually it reached its own settlement with CVS where that company agreed to pay the federal government $2.25 million in civil penalties. The OCR’s federal case involving Walgreen Co. is ongoing.

“Our goal has been to provide a consistent resolution on the CVS and Walgreens cases so that they will follow new requirements that will establish strong standards. The bottom line: consumers of both chains will be protected,” Zoeller added.

Under the agreements, both CVS and Walgreens will submit annual reports with the Board that detail changes to their policies, their employee training programs and other steps to comply with state and federal privacy laws. All pharmacy employees at the stores will be trained on the new rules. And if any medical-privacy breach happens in the future, CVS or Walgreens would be required to notify the Board of Pharmacy and Attorney General’s Office.

Under the agreement, CVS will make a $1,000 donation to a charity of its choice, in addition to the $2.25 million it paid under the federal agreement. Walgreens will pay $6,000 to reimburse all costs to the state for its investigation.

“These payments are not intended to be punitive; they represent the companies’ commitments to ensuring consumers’ privacy,” Zoeller said. “This comes at a time we are making a concerted effort to address the growing problem of identity theft in Indiana. Under enhancements to state and federal laws, we now will have additional legal tools to protect Hoosiers.”

Both companies issued statements about the proposed settlement agreements:

“CVS/pharmacy is committed to being an industry leader in privacy matters and places a high priority on protecting the privacy of its customers. This matter relates to the alleged inadvertent disposal of patient information at a small number of Indiana CVS/pharmacy locations in 2006 in a manner that was inconsistent with our policies and procedures,” said Christine Egan, Vice President of Privacy Practices at CVS Caremark. “Our settlement obligations with the State of Indiana reinforce our existing business practices in regard to protecting patient information, employee training on privacy issues, and monitoring the effectiveness of privacy policies and procedures on a regular basis.”

The statement from Walgreen Co.:

“We are glad to reach this agreement and believe we have always followed HIPAA standards. We have sound practices and policies that protect our patients’ information, and we will continue to adhere to them.”

The Board of Pharmacy had a representative at each set of negotiations with the Attorney General’s office and the pharmacy companies.

Source: Office of the Indiana Attorney General

About the author: Dissent