Internal emails raise questions about government’s investigation into Walgreens privacy breach
I am so glad to see a follow-up on this case because I had the same questions about how and why Walgreens did not suffer the same federal penalties as CVS and Rite Aid for the same infringement of HIPAA. My original coverage of this breach is no longer online as the former version of pogowasright.org wasn’t imported into the newer database. CVS and Walgreens both settled with the Indiana Attorney General’s Office in 2009, but whereas Rite Aid and CVS both came under federal enforcement from both the FTC and HHS, Walgreens… didn’t.
Bob Segall reports:
The nation’s three largest pharmacy chains were all caught red-handed.
A 13News investigation revealed the drugstores had been disposing of their customers’ protected health information in unsecured dumpsters — a clear violation of the nation’s health care privacy law known as HIPAA.
Following that 2006 WTHR investigation, CVS and Rite Aid reached settlement agreements with the U.S. Department of Health and Human Services’ Office for Civil Rights, and they paid a combined $3.25 million in fines for jeopardizing their customers’ privacy. At the time, they were the largest settlements the government had ever reached for violations of HIPAA.
But the government’s Walgreens investigation was very different. Unlike the CVS and Rite Aid cases — which were both resolved within a few years — OCR’s Walgreens investigation dragged on for nearly a decade. And it resulted in no settlement. No fine. No penalty at all.
Read more on Fox61.