Share this article on:
On Wednesday, Rite Aid announced that the widespread looting during the Baltimore riots resulted in prescription drugs being stolen from a number of its Baltimore pharmacies. The labels on some of the stolen prescription bottles contained information protected under the Health Insurance Portability and Accountability Act (HIPAA).
The labels did not contain Social Security numbers or financial information, but sufficient information was printed on the labels to make affected patients potential targets for fraudsters. Many of the stolen medications are now being sold on the black market on the streets of Baltimore.
The information on the prescription labels includes the names of patients, their addresses, together with the medication name. As reported earlier this week, this information can be used by criminals to trick patients into revealing more sensitive information, such as their bank account details or Social Security numbers.
In the case of Rite Aid, the patient information is limited, but the risk of identity fraud was considered to be of a level where identity theft protection services were deemed to be necessary. The individuals affected by the data breach are being contacted by mail and are being offered free fraud protection for a period of one year.
HIPAA Rules on Protected Health Information (PHI) and Personally Identifiable Information (PII)
HIPAA demands safeguards be put in place to keep PHI and PII private and confidential; however even the most diligent pharmacy operator could not be expected to keep PHI private under the circumstances seen during the unrest in Baltimore.
What is important for the pharmacy operators experiencing prescription medication theft is to promptly identify the affected patients. The HIPAA Breach Notification Rule demands that all Covered Entities (CEs) put their breach response plan in place quickly, to reduce the risk of PHI being used for fraudulent purposes and mitigate any damage already caused.
CEs only have 60 days to complete their initial investigation, identify the victims, issue a breach report to the Department of Health and Human Services’ Office for Civil Rights (OCR) and send breach notification letters to the victims. A slow breach response can result in a significant fine being issued by the OCR and state attorney generals.
Widespread HIPAA Breach Caused by Looting in Baltimore
Rite Aid was not the only pharmacy chain to be affected during the riots. The Baltimore Police Commissioner, Anthony W. Batts, issued a statement saying that an investigation in conjunction with the DEA is hoped to result in the recovery of 175,000 units of prescription medication being recovered. He said that during the riots, 27 pharmacies and two methadone clinics were looted.
According to a report in the Baltimore Sun, DEA Special Agent Gary Tuggle said “even more drugs have been stolen than reported. About 40 percent of the looted pharmacies have not finished counting losses,”
CVS Health and Care One, among others, have already reported thefts. The advice for Baltimore residents receiving prescriptions from a looted pharmacy should obtain free credit reports from each of the main credit monitoring agencies – Experian, Equifax and TransUnion – and monitor their credit and EoB statements carefully for any sign of fraud. If offered, credit protection services should be accepted and activated as soon as possible.