Privacy & Information Security Law Blog

Rite Aid has agreed to pay $1 million and implement remedial measures to resolve Department of Health and Human Services (“HHS”) and Federal Trade Commission allegations that it failed to protect customers’ sensitive health information.  The FTC began its investigation following news reports about Rite Aid pharmacies using open dumpsters to discard trash that contained consumers’ personal information such as pharmacy labels and job applications.  The FTC took issue with this practice in light of the pharmacy’s alleged claims that “Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously . . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy.”  At the same time, HHS began investigating the pharmacies’ disposal of health information protected by the Health Insurance Portability and Accountability Act.

The settlement with the FTC requires Rite Aid to establish a comprehensive information security program and to obtain, every two years for the next 20 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the settlement order.  The order also bars future misrepresentations of the company’s security practices.  In addition to requiring a $1 million payment, the HHS settlement obligates Rite Aid pharmacies to establish policies and procedures for disposing of protected health information, create a training program for handling and disposing of patient information, conduct internal monitoring, and get an independent assessment of its compliance for three years.

This is the second case in which the FTC and HHS coordinated their investigations and settlements.  The agencies resolved similar allegations with CVS Caremark in February 2009, when CVS Caremark agreed to pay a record $2.25 million and implement remedial measures to settle the investigations.