How to Prevent Top Three Health Information Breaches

Major pharmacy company settles privacy breaches

The Federal Trade Commission (FTC) and HHS entered into a settlement agreement with the CVS Caremark Corp., including penalties of $2.25 million, in February for violating HIPAA and FTC rules with the inappropriate disposal of PHI. The settlement followed an investigation prompted by reports that the company discarded patient information in industrial trash containers outside some of its stores, including pill bottles.

CVS failed to secure the containers, making the patent information assessable to anyone, according to HHS. The company violated the privacy of millions of its customers.

Lessons learned: CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process, according to HHS.

Organizations run into problems when they have lax practices, says Amatayakul. "Organizations should know better, and they should secure this data," she adds.

HHS also found CVS failed to adequately train employees to discard patient information properly. Many privacy problems are really a training problem, Amatayakul says.

Facilities must also safeguard data used through mobile devices, she says. Stolen or lost laptop computers that contained patient information also dominated news headlines in 2009.