February 26, 2009
On February 18, 2009, CVS Caremark (“CVS”) and the Federal Trade Commission (“FTC”) announced that CVS has agreed to settle FTC charges that it failed, in violation of federal law, to take reasonable and appropriate security measures to protect the sensitive financial and health information of its customers and employees. In a separate but related agreement, CVS has also agreed to pay $2.25 million to the Department of Health and Human Services (“HHS”) to resolve allegations that it violated the privacy provisions of the Health Insurance Portability and Accountability Act (“HIPAA”). The settlements conclude the first such joint investigation by the FTC and HHS.
CVS operates a nationwide retail pharmacy chain, with more than 6,300 retail outlets and online and mail-order pharmacy businesses.
Joint FTC/HHS Investigation
The FTC opened its investigation of CVS after media outlets reported in 2006 and 2007 that CVS dumped prescription drug and other personal information into unsecured trash containers. According to the FTC, among the materials dumped were (1) prescription pill bottles containing customers’ names, addresses, prescribing physician names, medication and dosages, (2) medication instruction sheets and computer order information containing customers’ personal information, (3) employment applications containing Social Security numbers, (4) payroll information, and (5) customers’ credit card and insurance information including, in some cases, account numbers and driver’s license numbers. The HHS opened its own investigation following the same reports. The FTC and HHS coordinated their investigations and settlements.
The FTC’s complaint charged that CVS failed to implement reasonable and appropriate procedures for handling customers’ and employees’ personal information, in violation of the Federal Trade Commission Act. More specifically, according to the FTC complaint, CVS did not implement reasonable policies and procedures to dispose securely of personal information, did not adequately train employees regarding such disposal, did not use reasonable measures to assess compliance with its policies and procedures for disposing of personal information, and did not employ a reasonable process for discovering and remedying risks to personal information. The complaint also charged that CVS made false and deceptive statements about its privacy policies, assuring customers that CVS was taking reasonable and appropriate measures to safeguard personal information.
FTC Consent Order
The FTC consent order requires CVS to establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of customers’ and employees’ personal information. The FTC consent order also requires CVS to obtain, every two years for the next twenty years, an audit from a qualified, independent, third party professional to ensure that its security program meets the standards of the order.
The order is available for public comment for thirty days (through March 20, 2009). At the conclusion of the thirty-day period, the FTC will review the agreement, along with any comments received, and will decide whether it should withdraw from or finalize the agreement.
The HHS settlement requires CVS to pay $2.25 million to HHS, establish and implement policies and procedures for disposing of protected health information, implement a training program for handling and disposing of such information, conduct internal monitoring, and engage an outside independent assessor to evaluate compliance for three years.
While the CVS case is the FTC’s 24th case challenging the failure of a company to implement reasonable information security practices, it is the first such case to (1) involve a health care provider, (2) proceed jointly with HHS, and (3) challenge the security of employee data.
The CVS case and the FTC’s new authority under HIPAA as amended by the American Recovery and Reinvestment Act of 2009 (see our 2/23/09 news item) signal greater involvement by the FTC with respect to personal health information privacy and security.
For more information, please contact the members of our Health Care group or the authors.