CVS Caremark, operator of the largest pharmacy chain in the U.S., will pay $2.25M to settle claims that it failed to protect the sensitive medical and financial information of its pharmacy customers and store employees. As part of the settlement, the company has agreed to adopt new practices intended to prevent future privacy violations.
According to a Federal Trade Commission (FTC) News Release issued Wednesday, some of CVS Caremark's more than 6,000 pharmacies disposed of sensitive patient information in open dumpsters -- including empty prescription pill bottles and medication instruction sheets that contained patients' detailed personal and medical information. Many CVS pharmacies also disposed of employment applications and payroll information in the same manner, jeopardizing the privacy of employees and job applicants, according to the FTC.
A related FTC Order requires CVS Caremark to "establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from consumers and employees." The FTC and the U.S. Department of Health and Human Services had been investigating CVS Caremark for alleged privacy violations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a federal law that requires health care providers and pharmacies to safeguard their patient's medical information.