Compliance Management, Security Strategy, Plan, Budget

CVS to pay $2.25 million to settle HIPAA violation

CVS Caremark must pay $2.25 million to settle federal charges that its employees threw out personal information about patients into garbage bins.

The Federal Trade Commission (FTC) said on Wednesday that the company -- which operates about 6,300 retail outlets -- lacked proper procedures for discarding sensitive data about customers when, in 2006, pharmacy workers unloaded pill bottles, medication instruction sheets and computerized order information into open trash containers.

This personal information was protected under the Health Insurance Portability and Accountability Act (HIPAA), according to the FTC.

In addition to the settlement fee, CVS Caremark now will be required to establish policies for disposing of personal information and will have to succumb to a biennial audit by a third party.

Experts told on Wednesday that the settlement could signal a shift by regulators, which traditionally have been lax in going after alleged HIPAA offenders.

"Until these regulations have teeth, they're meaningless," said Kurt Baumgarten, vice president of information security at Peritus Security, which advises companies on compliance. "If they're actually going to start using regulations for the purpose they were designed, the only way to unfortunately crack down on [violating] best practices is to punish the organizations that are basically playing a game of rolling the dice."

CVS denied any wrongdoing but decided to settle to avoid costly litigation, according to a company statement.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.