HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI Compromised in CVS Pharmacy and Walgreens Break-ins

CVS Pharmacy is alerting certain patients that some of their personal and protected health information has been lost following several incidents at its pharmacies between May 27, 2020 and June 8, 2020. During that time frame, several of its pharmacies were affected by looting and vandalism incidents. Unauthorized individuals gained access to several of its stores and stole filled prescriptions from pharmacy waiting bins. Vaccine consent forms and paper prescriptions were also lost and potentially stolen in the incidents.

The types of information compromised include names, addresses, dates of birth, medication names, prescriber information, and primary care provider information. No reports have been received to date to indicate there has been any misuse of customer information.

CVS Pharmacy has reported the incidents to the HHS’ Office for Civil Rights collectively as affecting 21,289 individuals.

Walgreens Reports Series of Break-ins and Theft of PHI

Walgreens Pharmacy has reported similar incidents at its pharmacies over the same period. According to the breach notification sent to the California Attorney General’s office, various groups of individuals broke into Walgreens stores in several locations between May 26, 2020 and June 5, 2020. The individuals stole many items from the stores, some of which contained the personal and protected health information of its customers.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

These included a limited number of hard drives that were connected to cash registers, an automation device used for printing prescription labels, filled prescriptions that were awaiting collection, and some paper records.  Social Security numbers and financial information were not compromised.

The information obtained by unauthorized individuals varied from customer to customer and may have included the following types of information: First and last name, address, phone number, date of birth/age, prescription number, prescriber name, health plan name and group number, vaccination information (including eligibility information), medication name (including strength, quantity, and description), email address, balance rewards number, photo ID number, driver’s license information, state ID number, military ID number, and passport (e.g. for customer purchasing drugs such as pseudoephedrine).

Following the break-ins, Walgreens immediately took steps to prevent fraud, such as closing out and re-entering impacted prescriptions and reversing insurance claims for filled prescriptions. Walgreens said there have been incidents at around 180 of its locations and the breach report submitted to the HHS’ Office for Civil Rights indicates the PHI of up to 72,143 individuals has been compromised.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.