Breaches Tied to Pharmacy Looting: Security LessonsWalgreens and CVS Are Among the Chains Affected
As more reports emerge regarding data breaches at pharmacy chains as a result of earlier break-ins and looting incidents during civil unrest, security experts are calling attention to important security issues. Those include the need to check physical security measures as well as encrypt mobile computing and storage devices.
Retail chains reporting breaches tied to vandalism include Walgreens, CVS Pharmacy and Cub Pharmacies.
A Walgreens spokeswoman tells Information Security Media Group that a breach report recently filed with the Department of Health and Human Services reflects break-in incidents that occurred in late May to early June at approximately 180 locations.
The HHS Office for Civil Rights HIPAA Breach Reporting Tool website shows that Walgreens on July 24 reported thefts involving paper documents and portable electronic devices affecting more than 72,000 individuals. The devices were computer hard drives, Walgreens says.
"Like many retailers, pharmacies and local businesses across the country, we recently had a number of its stores sustain varying degrees of damage as a result of vandalism and theft," Walgreens says in a statement provided to ISMG. Walgreens did not immediately respond to ISMG's request for further details.
As part its investigation and review of the damage, Walgreens learned there was also limited unauthorized access to certain patient information at some of the affected stores.
"While these were particularly challenging circumstances from a security standpoint and impacted a very small percentage of our stores, we're evaluating the numerous safeguards we regularly employ," Walgreens says.
In a breach notification, Walgreens says PHI potentially exposed in the incidents includes names, addresses, email address, phone numbers and dates of birth; clinical information, such as medication name, strength, quantity and description; prescriber name; health plan name and group number; vaccination information; and in some instances photo ID number on driver's license, state ID, military ID or passport.
Meanwhile, in a July 28 statement, CVS Pharmacy says that between May 27 and June 8, stores in several markets were vandalized.
As a result, on July, 24 CVS reported to HHS a breach impacting nearly 21,300 individuals involving loss of documents.
"After conducting a thorough review of impacted stores, we discovered on July 8 that, as a result of the vandalism, certain patient information was missing or destroyed," CVS says in its statement. "The missing or destroyed patient information was included on hard copy paper prescriptions, filled prescriptions held in pharmacy waiting bins or vaccine consent forms, depending on the store location."
The information that may have been disclosed as a result of the vandalism included name, date of birth, address, medication name, prescriber information, primary care provider, phone number and medical information, CVS says.
"We have no evidence of the patient information being misused," the statement notes. "Following the vandalism, our primary goal was to reduce the possibility of harm to our patients and to make sure that we could continue to provide patients with their medications. As needed, we filled and/or transferred prescriptions impacted by this incident."
CVS says it's considering whether additional safeguards are necessary "to further enhance protection of our patients' personal health information." The company did not immediately respond to an ISMG request for additional information.
Cub Pharmacies Incidents
Also notifying customers of health data breaches is Cub Pharmacy, which says in a recent statement that "a number of Cub Pharmacies were among the many Minneapolis-area businesses that were looted during the civil unrest."
In a statement, Cub says "despite the security measures we had in place, some customer information was stolen" in break-ins that happened during May 27-30 at eight Cub Pharmacies resulting in customer information being stolen from six pharmacies.
"These thefts included the removal of locked safes, binders containing past prescription records, and prescription orders that were in the process of being completed," Cub says in the statement. "More recently, a review of security video footage completed on June 20 identified additional customer information that was taken during the looting."
The information that was stolen included customer names, addresses, prescription numbers, drug names, drug quantities, ordering physician names and addresses, number of refills remaining and prescription dates, Cub says.
"We do not believe that individuals are at increased risk of identity theft, and we have not received any reports indicating the information has been misused in any way," the company says.
The Cub breaches were not listed on the HHS OCR tally as of Monday. Cub did not immediately respond to an ISMG request for additional information.
Several other pharmacy retailers - including Walmart and Kroger - that also reportedly experienced vandalism and looting did not immediately respond to ISMG's request for more information on whether they had reportable data breaches. As of Monday, no recent breach reports for Walmart of Kroger appeared on the HHS OCR website.
The recent pharmacy incidents highlight the difficulties of ensuring the physical security of certain protected health information, especially paper-based documents.
"Unfortunately, if intruders are determined to break into a pharmacy, the usual retail security measures are unlikely to prevent it," says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
"PHI on electronic devices can and should be secured in ways that paper PHI, such as on prescription labels, cannot be," she says. "Preferably, ePHI should not be stored on portable devices because of the heightened risk of device loss and theft. But when it is, it should be encrypted. Further, devices should be left powered off and, when possible, stored in a locked room or cage."