The theft of a laptop computer from an unnamed vendor has exposed the protected health information of a number of Alabama CVS pharmacy patients.
The data breach only affects certain patients who have previously filled out prescriptions at a single CVS pharmacy in Alabama – The CVS pharmacy at 8370 Highway 31 in Calera. Data stored on the laptop computer included the names of patients along with contact telephone numbers, home addresses, details of the prescriptions provided, and numbers and dispensing dates. No Social Security numbers or financial information were exposed.
The theft occurred on March 16, 2016., and CVS was notified of the data breach on March 22. All affected patients have now been notified of the privacy breach by mail. The laptop theft was reported to the Indianapolis Police Department although the laptop computer has not been recovered.
CVS requires its vendors to encrypt all patient information although in this case encryption was not used. This was a breach of the vendor’s contractual obligations, although the incident was not deemed to be severe enough to warrant the termination of CVS’s business relationship with the vendor.
CVS pharmacy conducted a thorough review of the security incident and was satisfied that this was an isolated error, and “was not caused by lack of internal controls or other systemic issues,” according to a statement released by CVS spokesman Mike DeAngelis.
CVS is satisfied that the additional protections being put in place by the vendor will be sufficient to reduce the risk of future privacy breaches and will enable the vendor to continue working with CVS Health. Additional security measures include providing staff members with further privacy and encryption training.
Earlier this month OptumRx reported a data breach had occurred as a result of the theft of an unencrypted laptop computer from a vendor. The breach report bears a number of similarities to the CVS pharmacy data breach. The laptop was similarly stolen on March 16 and the theft was also reported to the Indianapolis Police Department. The vendor was not identified by OptumRX, although the company provided prescription delivery services.
The post Vendor Laptop Theft Exposes PHI of Alabama CVS Pharmacy Patients appeared first on HIPAA Journal.