Earlier this year, CVS Caremark agreed to settle FTC charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, in violation of federal law. In a separate but related agreement, the company's pharmacy chain also has agreed to pay $2.25 million to resolve Department of Health and Human Services allegations that it violated HIPAA regulations.
"This is a case that will restore appropriate privacy protections to tens of millions of people across the country," said FTC chairman William Kovacic following the settlement. "It also sends a strong message to other organizations that possess consumers' protected personal information. They are required to secure consumers' private information."
Under the final consent order, CVS Caremark is required to rebuild its security and confidentiality program, which will be audited every two years for the next 20 years. The HHS settlement requires the company to develop a new training program to instruct employees on how to handle patient data.
The FTC opened its investigation into CVS Caremark following media reports from around the country that its pharmacies were throwing trash into open dumpsters that contained all sorts of personal information -- including patient records, credit card information, employment applications, and account data. At the same time, HHS opened its investigation into the pharmacies' disposal of health information protected by HIPAA. The FTC and HHS coordinated their investigations and settlements.
The FTC's complaint charges that CVS Caremark failed to implement reasonable and appropriate procedures for handling personal information about customers and employees, in violation of federal laws. In particular, according to the complaint, CVS Caremark did not implement reasonable policies and procedures to dispose securely of personal information, did not adequately train employees, did not use reasonable measures to assess compliance with its policies and procedures for disposing of personal information, and did not employ a reasonable process for discovering and remedying risks to personal information, the FTC said.
CVS Caremark made claims, such as, "CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information." The FTC alleged that the claim was deceptive, and that CVS Caremark's security practices also were unfair. Unfair and deceptive practices also violate FTC regulations.
The FTC order requires CVS Caremark to "establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from consumers and employees." It also requires the company to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. The order also bars CVS Caremark from making future misrepresentations of the company's security practices. The HHS settlement requires CVS pharmacies to establish and implement policies and procedures for disposing of protected health information, implement a training program for handling and disposing of such patient information, conduct internal monitoring, and engage an outside independent assessor to evaluate compliance for three years. CVS also will pay HHS $2.25 million for the HIPAA violations.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.