FTC Brings Case in Conjunction with Office of Civil Rights
The FTC has clearly indicated its focus on preventing medical identity theft and a case involving CVS shows that focus. Brought earlier this year, CVS was alleged to have failed to implement reasonable and appropriate security to protect the information CVS gathered, which included name, telephone number, address, date of birth, account information, credit card information, prescription and other related medical information, as well as several other categories of data. The FTC alleged that CVS discarded materials that contained this information in an unsecure way, including in dumpsters.
The matter resolved via consent decree and required CVS to implement a comprehensive data security plan, as well as to not make any misrepresentations regarding security and privacy of information. CVS was also required to engage in standard reporting, third-party review, and document-retention requirements.
It should be noted that this was the first health care case brought by the FTC and the first one brought in conjunction with the Office of Civil Rights in the Department of Health and Human Services. It is another example of the potential pitfalls of not addressing information security.