CVS Pharmacy is contacting some patients to inform them that some of their personal and protected health information has been lost following several incidents at its pharmacies between May 27, 2020 and June 8, 2020. During that period of time frame, many of its pharmacies were affected by looting and vandalism incidents. Unauthorized people obtained access to many of its stores and stole completed prescriptions from pharmacy waiting bins. Vaccine consent forms and paper prescriptions were also lost and possibly stolen in the incidents.
The range of information impacted included names, addresses, dates of birth, medication names, prescriber information, and primary care provider information. No reports have been received to date to indicate there has been any misuse of customer data.
CVS Pharmacy has made the incidents known to the HHS’ Office for Civil Rights collectively as affecting 21,289 customers.
Meanwhile, Walgreens Pharmacy has reported similar incidents at its pharmacies over the same period of time. According to the breach notification submitted to the California Attorney General’s office, various groups of individuals broke into Walgreens stores in many locations between May 26, 2020 and June 5, 2020. The customers stole many items from the stores, some of which contained the personal and protected health information of its customers.
These included a restricted amount of hard drives that were connected to cash registers, an automation device used for printing prescription labels, filled prescriptions that were awaiting collection, and some paper records. Social Security numbers and financial data were not impacted.
The data obtained by unauthorized individuals varied from customer to customer and may have included the following types of information: First and last name, address, phone number, date of birth/age, prescription number, prescriber name, health plan title and group number, vaccination details (including eligibility information), medication name (including strength, quantity, and description), email address, balance rewards number, photo ID number, driver’s license data, state ID number, military ID number, and passport (e.g. for customer purchasing drugs like pseudoephedrine).
After the break-ins, Walgreens quickly implemented steps to prevent fraud, such as closing out and re-entering impacted prescriptions and reversing insurance claims for completed prescriptions. Walgreens said that incidents have taken place at around 180 of its locations and the breach report submitted to the HHS’ Office for Civil Rights indicates the PHI of up to 72,143 individuals has been impacted.