Victims of CVS Caremark Data Breach Pursuing Class Action Lawsuit

by | Mar 28, 2018

It is believed that healthcare data breach that saw the protected health information of clients of CVS Caremark impacted has lead to legal action against CVS, Caremark, and its mailing supplier, Fiserv.

The legal action, which was submitted in Ohio federal court on March 21, 2018, relates to a presumed privacy breach that happened due to a mistake that affected a July/August 2017 mailing broadcast sent to almost 6,000 patients.

In July 2017, CVS Caremark was hired to manage as the pharmacy benefits manager for the Ohio HIV Drug Assistance Program (PhDAP), and under that program, CVS Caremark supplies eligible patients with HIV medications and corresponds with them about medications.

In July/August 2017, CSV Caremark’s mailing supplier Fiserve issued letters to patients containing their membership cards and data about how they could receive their HIV prescriptions.

In the legal action the complaint claims HIV-related data was clearly visible through the plastic windows of the envelopes, allowing the data to be seen by postal service workers, family members, and roommates. It is claimed the mailing resulted in the revealing of the recipient’s HIV status.

As per Ohio Department of Health policies, information that refers to HIV should only be broadcast in non-window envelopes. The mailing would have breached those policies and Health Information Portability and Accountability Act (HIPAA) Rules.

Such a HIPAA violation should be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) within 60 days of discovery of the breach; however, the complainant claims no breach report was filed to OCR and alerts were not sent to affected people – An additional breach of HIPAA Rules.

Plaintiffs are suing for punitive and compensatory damages and coverage of their legal expenses.

There have been further breaches of HIV information over the last while, including a mailing mistake by a supplier of Aetna. In that case, HIV-related data could be seen through the clear plastic windows of envelopes in a mailing to 12,000 people. Aetna settled a class action lawsuit submitted on behalf of victims of the HIPAA violation for $17,161,200 and is currently suing its mailing supplier to recover the expenses. The New York Attorney General also fined Aetne in relation tothe breach and settled that case for a figure of $1.15 million.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy