HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI of Customers Stolen in Looting Incidents at Cub Pharmacies

Another pharmacy chain has announced that the protected health information of some of its customers has been stolen by looters in late May during the period of civil unrest.

Between May 27-30, 2020, 8 Cub pharmacies in the Minneapolis area were broken into and items were stolen, including paperwork containing the protected health information of its customers. Items taken from the pharmacies included locked safes that contained credit card authorization forms and prescriptions that had been processed and were awaiting collection. Binders containing printed records of past prescriptions and orders that were in the process of being prepared were taken from 6 of the pharmacies in Minneapolis and St. Paul.

The information on the credit card forms included the cardholder name, credit card number, expiry date, and the amount of the transaction, but did not include the CVV code which is required to make purchases over the telephone. These forms only related to individuals who had arranged to have prescriptions delivered or mailed, not for customers who paid by credit card in person in a pharmacy.

Cub discovered the theft of items immediately upon entering the stores between May 28-30. A review of CCTV footage revealed further customer information had been taken when the stores were looted. Where possible, customers affected by the breach were notified directly, although it was not possible to identify all affected customers in that manner, as it was not possible to determine which customers’ PHI was included in the stolen binders.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The customer information obtained by the looters was limited and did not include the types of information sought by identity thieves. Cub does not believe that affected individuals are at risk of identity theft; however, as a precaution, all affected individuals are being encouraged to review their financial and explanation of benefits statements for any signs of misuse of their information. No cases of misuse of customer information have been received to date.

Cub is the fourth pharmacy chain to announce that customer information was compromised in recent break-ins. Breaches have also been reported by Walgreens (72,143 individuals), CVS Pharmacy (21,289 individuals) and Kroger (10974 individuals). According to the DEA, more than a third of the 476 retail pharmacies in Philadelphia were looted and many pharmacies in other areas across the United States have also suffered destructive attacks and have had prescription drugs and other items stolen.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.