Maryland Attorney General's Office enforcement actions for improper disposal of records with PHI
I was just reading news story about a breach in Maryland, and was surprised to learn that the Maryland Attorney General’s Office had charged two health care entities with improper disposal of records and that both cases had settled over the summer. Here’s the press release from August 27, 2013:
Attorney General Douglas F. Gansler today announced that his Consumer Protection Division has entered into a settlement with a Laurel physician, Marie A. Dobyns, M.D., P.A., doing business as Amos Medical Services, to resolve allegations of improperly disposing of medical records that contained patients’ personal information.
“Businesses have a responsibility to protect consumers’ privacy so that their information does not fall into the wrong hands and used to cause harm,” said Attorney General Gansler. “When a physician’s office disposes of its patient records that contain personal consumer information, including sensitive health information, it needs to shred them or take other steps to ensure that a consumer’s privacy is not compromised.”
The Division alleged that in May 2013, when Amos Medical Services moved its office location within Laurel, instead of properly disposing of its outdated medical records that contained private and sensitive consumer information, the business threw them in a dumpster. Approximately 400 patient records were discovered in the dumpster.
Under the Maryland Consumer Protection Act, it is an unfair and deceptive trade practice for a business to throw away records containing its customers’ personal information without taking reasonable steps to protect against unauthorized access to or use of the personal information.
Based on its investigation, the Division believes no consumers’ personal information was compromised. Once the records were discovered, they were retrieved from the dumpster and a shredding company was hired to properly destroy them.
The settlement requires the company and Dr. Dobyns to pay a $20,000 penalty and take steps in the future to protect against the unauthorized access to personal or sensitive consumer information when disposing of records, such as hiring a shredding company.
Consumers with privacy concerns, including those who may have been a victim of identity theft, should contact the Attorney General’s Identity Theft Unit by calling 410-576-6491.
And here’s a press release from the following day, announcing that CVS had agreed to pay $250,000 to settle charges that included improper disposal of patient records:
Attorney General Douglas F. Gansler today announced that his Consumer Protection Division has entered into a settlement with CVS Pharmacy, Inc., and Maryland CVS Pharmacy, LLC, to resolve allegations that CVS Pharmacy failed to take appropriate security measures to protect the sensitive financial and medical information of its customers. The settlement also resolves allegations that CVS sold and offered for sale products after their expiration or “sell by” dates had passed.
“This settlement speaks to the health and wellbeing of all consumers,” said Attorney General Gansler. “Expired products don’t belong on store shelves and we know that individuals’ personal information, if exposed, could lead to serious problems.”
The Division investigated concerns that CVS pharmacies were throwing records containing personal identifying information, including health information in open dumpsters.
The Division also investigated CVS pharmacies’ alleged sale of expired products, including baby formula, dairy products and over-the-counter drugs, including infant, children and adult medications and vitamins.
Under the Maryland Consumer Protection Act, it is an unfair and deceptive trade practice for a business to attempt to dispose of records containing its customers’ personal information without taking reasonable steps to protect against unauthorized access to or use of them. It is also an unfair and deceptive trade practice to offer for sale a product that is no longer effective for its intended use.
The Division alleged that CVS Pharmacy had inadequate policies and procedures to prevent the sale of expired products and to protect consumers’ personal information. Furthermore, CVS failed to monitor and enforce procedures that were in place and intended to safeguard consumers.
The settlement agreement requires CVS to maintain, revise as needed, and enforce newly established policies and procedures for the disposal of protected health information; implement an employee training program for handling and disposing of such patient information; conduct internal monitoring; and, report any noncompliance to the Division for three years.
The settlement agreement also requires that policies and procedures be similarly implemented and enforced regarding the sale or offer for sale of expired products. Moreover, for at least three years, CVS registers will prompt cashiers to confirm that dairy products, baby food, infant formula and over-the-counter children’s drugs are not expired. Also, for at least two years, CVS will offer consumers a $2 discount coupon toward any purchase if a consumer finds and turns in an expired product (over-the-counter drugs, edible product, and vitamins and dietary supplements) on store shelves.
CVS will pay the Division $250,000 to settle the matter.
Additionally, the settlement requires CVS for a three-year period to hire an outside independent auditor to visit every CVS location in Maryland at least once a month to evaluate compliance with the outdated products policies.