Victims of CVS Caremark Data Breach Pursuing Class Action Lawsuit

by Ryan Coyne | Mar 28, 2018

It is believed that healthcare data breach that saw the protected health information of clients of CVS Caremark impacted has lead to legal action against CVS, Caremark, and its mailing supplier, Fiserv.

The legal action, which was submitted in Ohio federal court on March 21, 2018, relates to a presumed privacy breach that happened due to a mistake that affected a July/August 2017 mailing broadcast sent to almost 6,000 patients.

In July 2017, CVS Caremark was hired to manage as the pharmacy benefits manager for the Ohio HIV Drug Assistance Program (PhDAP), and under that program, CVS Caremark supplies eligible patients with HIV medications and corresponds with them about medications.

In July/August 2017, CSV Caremark’s mailing supplier Fiserve issued letters to patients containing their membership cards and data about how they could receive their HIV prescriptions.

In the legal action the complaint claims HIV-related data was clearly visible through the plastic windows of the envelopes, allowing the data to be seen by postal service workers, family members, and roommates. It is claimed the mailing resulted in the revealing of the recipient’s HIV status.

As per Ohio Department of Health policies, information that refers to HIV should only be broadcast in non-window envelopes. The mailing would have breached those policies and Health Information Portability and Accountability Act (HIPAA) Rules.

Such a HIPAA violation should be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) within 60 days of discovery of the breach; however, the complainant claims no breach report was filed to OCR and alerts were not sent to affected people – An additional breach of HIPAA Rules.

Plaintiffs are suing for punitive and compensatory damages and coverage of their legal expenses.

There have been further breaches of HIV information over the last while, including a mailing mistake by a supplier of Aetna. In that case, HIV-related data could be seen through the clear plastic windows of envelopes in a mailing to 12,000 people. Aetna settled a class action lawsuit submitted on behalf of victims of the HIPAA violation for $17,161,200 and is currently suing its mailing supplier to recover the expenses. The New York Attorney General also fined Aetne in relation tothe breach and settled that case for a figure of $1.15 million.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter