CVS CAREMARK

An employee of the covered entity (CE), CVS Caremark, with access to patients’ protected health information (PHI) impermissibly accessed and printed patient drug transfer reports as part of a scheme to fill fraudulent prescriptions. The prescription drug reports were then disclosed to a third party, the employee’s boyfriend, who was a former employee of another CVS store. Law enforcement notified the CE about the breach on March 16, 2011 following a raid of the perpetrators’ home, in which law enforcement confiscated paper documents belonging to the CE. The PHI involved in the breach included the names, addresses, birthdates, prescription numbers, telephone numbers, and prescription names of approximately 654 individuals. The CE provided breach notification to HHS and affected individuals and also offered free credit monitoring. In response to this incident, the CE immediately terminated the employee and retrained pharmacy staff on its HIPAA policies. The CE also provided evidence that both individuals have since had their pharmacy licenses suspended by the state licensing board. As a result of OCR’s investigation, OCR obtained assurances that the corrective actions listed above were completed.
Location of breached information: Paper/Films
Business associate present: No