Home page logo

dataloss logo Data Loss mailing list archives

Walgreens pharmacist patient data breach raises questions
From: Erica Absetz <eabsetz () opensecurityfoundation org>
Date: Tue, 19 Feb 2013 10:00:02 -0500


Healthcare organizations and their patients can add pharmacists as one
more link in the data chain to be wary of after a former Kentucky
Walgreens pharmacist was sentenced to 25 months in prison on Friday
for, among other charges, identity theft.

Elizabeth A. Smith originally pleaded guilty to using patient and
doctor names as well as Drug Enforcement Agency (DEA) numbers to
create fraudulent prescriptions for controlled substances such as
hydrocodone in United States District Court, according to
phiprivacy.net, on Nov. 19. While keeping the pills for her own
personal use is disturbing, the fact that Smith filled prescriptions
without patient or doctor consent should be especially eye-opening for
healthcare organizations.Justice.gov cited an example of how she used
the patient data:

On January 5, 2012, while working at a Walgreens in Madisonville,
Kentucky, Smith used patient T.R.’s name, and doctor S.S.’s name and
DEA number, without T.R.’s or S.S.’s knowledge or authority to order a
fraudulent prescription for 180 hydrocodone pills. Smith entered the
prescription in the Walgreens computer system and reduced the amount
due for the prescription from $131.37 to $5. Smith paid the $5 with
her own personal credit card.

This, of course, isn’t the first time that a national pharmacy chain
has taken heat for a protected health information (PHI) breach. Back
in 2010, a joint investigation of Rite Aid’s patient privacy
procedures by the U.S. Department of Health and Human Services (HHS)
Office for Civil Rights (OCR) and the Federal Trade Commission (FTC)
led to a $1 million settlement. Rite Aid had to take “corrective
action to improve policies and procedures to safeguard the privacy of
its customers when disposing of identifying information on pill bottle
labels and other health information.”

The critical takeaways from the Rite Aid case were that the company
had violated both HIPAA and FTC regulations. Given the volume of
patient data that Walgreens manages, it stands to reason that HHS
would at least look at this case because some of the same patient
privacy violations raised in the Rite Aid settlement seem to apply to
the Walgreens case.

There are other instances of big-time pharmacy HIPAA violations, such
as CVS Caremark agreeing to pay a $2.25 million fine in 2009 and
institute corrective action plans following an HHS investigation of
potential HIPAA violations. CVS was shortly thereafter sued by six
independent Texas pharmacies for mining patient data for business
purposes, which is a separate patient privacy discussion for another

The Walgreens case is a rare one and doesn’t mean pharmacists can’t be
trusted, but it does raise the question of what can be done to tighten
up patient data privacy as it changes hands and the data becomes more
integrated, and therefore more valuable.
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list


Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.

  By Date           By Thread  

Current thread:
  • Walgreens pharmacist patient data breach raises questions Erica Absetz (Feb 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]