CVS Pharmacy Lawsuit Over HIPAA Breach Survives Dismissal Motion

by | Feb 6, 2018

Pharmacy benefit manager CVS Pharmacy is suing mail service provider Press America, Inc in relation to over an accidental disclosure of 41 peoples’ protected health information.

CVS Pharmacy is under contract to provide a mail-order based pharmacy service for a health plan to which it acts a business associate. Both entities are bound by HIPAA Rules.

CVS Pharmacy completed a business associate agreement with the health plan, and Press America did similar with CVS Pharmacy as PHI was  needed in order to complete the mailings.

CVS Pharmacy argues the HIPAA Privacy Rule was breached by Press America when it mistakenly disclosed PHI to unauthorized people in a mismailing incident.

The disclosure of some plan subscribers’ PHI was an accident, but the privacy breach breached a performance standard in the CVS Pharmacy’s contract with the health plan. By breaching the performance standard, the CVS Pharmacy had to make a payment of $1.8 million to the health plan.

A legal action was undertaken by CVS Pharmacy seeking indemnification from the mail service in lines with the terms of its BAA and common law principles. CVS Pharmacy claims the mismailing arose due to negligence by its subcontractor, and the $1.8 payment was necessary arising from that negligence. CVS Pharmacy believes the breach was completey under the control of its subcontractor.

CVS Pharmacy argued the mail service had to provide a duty of reasonable care and that duty of care was violated. Since PHI was disclosed, by accident, and the HIPAA Privacy Rule was violated, CVS Pharmacy was required to issue notifications to the 41 plan subscribers, which the complainant claims caused affected its reputation.

The mail service wished to have the claim of negligence dismissed, and in its motion to dismiss the legal action, challenged the validity of the contractual obligation CVS Pharmacy had to the health plan that necessitated the $1.8 million payment. The mail service also argued that its indemnification provisions were not supposed to cover this type of payment.

However, the federal court opted not to dismiss the CVS Pharmacy’s legal action. The court ruled that the indemnification provisions of the subcontractor were wide in range enough to encompass CVS Pharmacy’s payment to the health plan, and the subcontractor had no right to challenge the contractual obligation due to the fact that  it was not a party or third-party beneficiary to the contract.

Financial losses were also experienced due to that negligence, as CVS Pharmacy had to make a large payment to the health plan in addition to covering the cost of sending notifications to the plan subscribers whose PHI was disclosed. Due to these reasons, the motion to dismiss the case was thrown out.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy