CVS Caremark claims to have strict waste disposal policies at its retail pharmacies, including the shredding of private patient information and prescriptions. In fact, New York City residents, especially local CVS customers, recently experienced the opposite: their private information was found blowing in the streets of the East Side of Manhattan, the Daily News reported.
According to the paper, a pile of prescriptions including patient names and personal information was discovered on East 18th Street near a CVS pharmacy’s back door. As disturbing as this single instance is, CVS Caremark has a track record of similar problems that have fueled allegations that the joint retail-pharmacy benefit manager conglomerate is incapable of adequately protecting sensitive patient information.
- In 2009 CVS Caremark agreed to settle Federal Trade Commission charges that it failed to take “reasonable and appropriate security measures” to protect the sensitive financial and medical information of customers and employees, a violation of federal law. In a companion agreement with the U.S. Department of Health and Human Services, CVS Caremark paid $2.25 million to settle Health Insurance Portability and Accountability Act, commonly known as HIPAA, alleged violations. The HHS settlement required CVS pharmacies “to establish and implement policies and procedures for disposing of protected health information.”
- CVS Caremark says it settled for $2.25 million “to avoid the time and expense of further legal proceedings.” But two years earlier CVS privacy officer Christine Egan admitted “We are not safeguarding customer privacy as we are required to do… It’s sad and intolerable.”
- In large part, the case stemmed from a 2006 story in which investigative reporters from Indianapolis, IN discovered CVS Caremark records in dumpsters across the county including Boston, Chicago, Cleveland, Detroit, Dallas, Louisville, Miami, New Haven (Conn.), Philadelphia, and Phoenix. Hundreds of private customer records were also found in Woonsocket, RI, the corporate headquarters of CVS Caremark, WTHR-TV reported.
- The office of the Texas Attorney General also investigated instances of similar document disposal problems. CVS Caremark agreed to pay $315,000 to the State of Texas in 2008.
After the merger of pharmacy giant CVS with PBM Caremark, patients complained of improper patient data sharing between the two companies. During merger talks CVS CEO Tom Ryan assured the Federal Trade Commission that the company would be “agnostic [about] where the consumer fills their prescription.”
Questions about whether that standard has been met led consumer and privacy groups to join NCPA in seeking an investigation by HHS and FTC into privacy concerns arising from the merger of CVS and Caremark. This follows a bipartisan Congressional call to join NCPA and others in asking federal antitrust regulators to open an investigation into CVS’s merger with Caremark.