[BreachExchange] Federal Lawsuit Filed Following Alleged CVS Health Data Breach

Tue Apr 3 19:04:59 EDT 2018

https://healthitsecurity.com/news/federal-lawsuit-filed-
following-alleged-cvs-health-data-breach

Three plaintiffs filed a federal lawsuit on March 21, 2018, claiming that a
CVS Health data breach exposed the PHI of over 6,000 individuals, including
revealing the HIV status of the individuals.

CVS Health, Caremark LLC (a subsidiary of CVS Health), and Fiserv Solutions
LLC were all named in the lawsuit, which was filed in the US District Court
for the Southern District of Ohio.

CVS sent out mailings in the summer of 2017, with “two clear glassine
windows” revealing PHI, according to the lawsuit.

“A second window contained the recipient’s name and address, with the
designation ‘PM 6402 HIV’ directly above the person’s name,” the lawsuit
stated. “This reference to the recipient’s HIV status was plainly visible
through the glassine window. The designation ‘HIV’ in the program
identification number was not required by the Ohio Department of Health,
but rather was created by CVS.”

The Defendants did not attempt to test or review how information could
potentially be disclosed before they sent out the mailings, Plaintiffs
maintained. Additionally, the Ohio Department of Health requires that “all
mailings relating to HIV-related issues” be sent in an “opaque,
non-windowed envelope.”

The Ohio Department of Health had awarded a contract to CVS earlier in
2017, allowing CVS to provide individuals eligible under the Ohio HIV Drug
Assistance Program (OhDAP) with HIV medications.

CVS also “hampered efforts to remediate the damage by failing to notify
affected individuals and the United States Department of Health and Human
Services,” the lawsuit reads.

“One of the undersigned counsel sent CVS a letter months ago advising CVS
that it had violated HIPAA, asking for verification of the corrective
measures that CVS had taken to ensure that breaches will not happen in the
future, and demanding that CVS notify the affected individuals,” the
document explains. “CVS’s Chief Privacy Officer acknowledged receipt of the
letter and stated that CVS was investigating this claim.”

Regardless of that information, CVS still did not notify potentially
affected individuals nor did it reach out to the Department of Health and
Human Services about the data breach.

AIDS activist Eddie Hamilton of Columbus, Ohio first notified The
Washington Blade about the issue in August 2017. Hamilton said that he
received an envelope with a mention of HIV above his name in view of the
envelope window.

CVS Health spokesperson Michael J. DeAngelis told the news source that a
reference code for the assistance program included a series of letters and
numbers that were visible in the envelope window.

“This reference code was intended to refer to the name of the program and
not to the recipient’s health status,” DeAngelis said.

A similar incident led to a $17 million settlement for Aetna in 2017. In
that case, 12,000 individuals were affected when information about ordering
prescription HIV drugs was clearly visible through an envelope's clear
window.

“…the instructions for the recipient to fill their HIV medication
prescription was plainly visible through the large-window section of the
envelope,” the original lawsuit read. “Specifically, the visible portion of
the letter clearly indicated that it was from Aetna, included a claims
number and information for the addressee, and stated ‘[t]he purpose of this
letter is to advise you of the options…Aetna health plan when filling
prescriptions for HIV Medic…’”

The Aetna letters had originally been sent in response to a settlement over
previous data privacy violation worry, where Aetna had been sued in two
separate class-action lawsuits in 2014 and 2015.

“Those lawsuits alleged that Aetna jeopardized the privacy of people taking
HIV medications by requiring its insureds to receive their HIV medications
through mail and not allowing them to pick up their medications in person
at the pharmacy,” the 2017 lawsuit explained.

In addition to the federal case, New York Attorney General Eric
Schneiderman also announced a $1.15 million state settlement was reached in
early 2018.

The HIV status of 2,460 New Yorkers was exposed, Schneiderman said in a
statement.

“Through its own carelessness, Aetna blatantly violated its promise to
safeguard members’ private health information,” explained Schneiderman.
“Health insurance companies handle personal health information on a daily
basis and have a fundamental responsibility to be vigilant in protecting
their members. We won’t hesitate to act to ensure that insurance companies
live up to their responsibilities to the New Yorkers they serve.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180403/fba6b867/attachment.html>