Theft of prescription bottles during riots results in breach notifications
There was a lot of media attention last month when Rite Aid disclosed that it was notifying customers whose prescriptions with personal and Rx information were stolen during the Baltimore riots in April.
Flying somewhat lower under the media radar, however, was the fact that CVS similarly started notifying its customers later in June. The Baltimore Sun ran a news story on June 26 that begins:
CVS is offering a year of free credit monitoring and identity theft protection to Baltimore residents whose prescriptions were stolen amid looting across the city April 27.
CVS Health is sending out notices to those affected, offering the credit monitoring “out of an abundance of caution,” the company said in a statement.
Neither pharmacy giant appears to have reported this to HHS, or if they did, they reported it as less than 500 affected, as I don’t see this incident on HHS’s public breach tool.
What I do see, however, is that CVS in Rhode Island reported an incident to HHS that affected 12,914 and where the incident was described as theft of information that was located on a desktop computer. Whether the computer was stolen or just the information was stolen from the computer is unclear from HHS’s reporting tool. I was unable to locate any substitute notice that described this incident and CVS Caremark did not respond to an inquiry asking for clarification on that report.