The U.S. retail pharmacy chain CVS Caremark settled a complaint with the FTC this month for allegedly failing to take proper steps to protect sensitive consumer information. While this may sound a bit familiar to our readers (see previous posting about geeks.com), recent FTC activities in the area of privacy continue to capture our attention. What makes this case even more interesting is that CVS settled not only with the FTC, but also entered into a separate, but related settlement with the Department of Health and Human Services (“HHS”) associated with violations of Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
The accusations aimed at CVS by both the FTC and HHS involved the improper disposal of sensitive consumer information. More specifically, CVS was allegedly discarding materials into open dumpsters that included pill bottles containing patient names and addresses, as well as medication names and doses; medication information sheets containing personal identifying information; company employment forms, including payroll forms with employee social security numbers; patient credit card and insurance information, including drivers license numbers. According to the complaint, television stations reported finding personal information in CVS dumpsters in at least 15 separate cities.
The FTC charged CVS with making false and deceptive statements about its privacy policies, namely, that it told customers that the company was taking reasonable measures to protect information. Despite assuring consumers that personal identifying and health information would be protected from unauthorized access, CVS allegedly failed to provide for any secure disposal of information, failed to adequately train personnel on the proper disposal of protected information, and failed to assess whether its documented privacy policies were actually being followed.
In addition to the FTC, HHS became involved in the case; eventually settling with CVS for $2.25 million. The settlement is incredibly significant in terms of typical HHS enforcement of the HIPAA privacy rule, which is normally very much behind-the-scenes. HIPAA privacy rules require that healthcare providers, including pharmacies, protect the privacy of individually identifiable health information, including upon disposal. HHS noted that this was the first instance in which they have coordinated an investigation and resolution with the FTC. Both agencies are requiring CVS to seriously revamp its current privacy practices. The FTC settlement requires 20 years of follow-up monitoring, while the HHS settlement requires 3 years.
This investigation, and the subsequent settlement, highlight the importance the FTC is placing on privacy and information security generally. In addition to allegations regarding customer information, the complaint also noted that CVS improperly disposed of employee information; adding another interesting dimension to this case. As seen in both this instance and in the geeks.com settlement, company privacy policies must be effective both on paper and in practice, regardless of the form in which the information is collected and stored. In addition, companies must provide reasonable information security for personal information throughout its entire lifecycle. Finally, be aware that the pain inflicted by two enforcement agencies who team up is greater than the pain inflicted by one.