HIPAA, Patient Privacy, Healthcare Data Security BYOD
Walgreens pharmacist patient data breach raises questions

Walgreens pharmacist patient data breach raises questions

Author | Date February 18, 2013

Healthcare organizations and their patients can add pharmacists as one more link in the data chain to be wary of after a former Kentucky Walgreens pharmacist was sentenced to 25 months in prison on Friday for, among other charges, identity theft.

Elizabeth A. Smith originally pleaded guilty to using patient and doctor names as well as Drug Enforcement Agency (DEA) numbers to create fraudulent prescriptions for controlled substances such as hydrocodone in United States District Court, according to phiprivacy.net, on Nov. 19. While keeping the pills for her own personal use is disturbing, the fact that Smith filled prescriptions without patient or doctor consent should be especially eye-opening for healthcare organizations. Justice.gov cited an example of how she used the patient data:

On January 5, 2012, while working at a Walgreens in Madisonville, Kentucky, Smith used patient T.R.’s name, and doctor S.S.’s name and DEA number, without T.R.’s or S.S.’s knowledge or authority to order a fraudulent prescription for 180 hydrocodone pills. Smith entered the prescription in the Walgreens computer system and reduced the amount due for the prescription from $131.37 to $5. Smith paid the $5 with her own personal credit card.

This, of course, isn’t the first time that a national pharmacy chain has taken heat for a protected health information (PHI) breach. Back in 2010, a joint investigation of Rite Aid’s patient privacy procedures by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) led to a $1 million settlement. Rite Aid had to take “corrective action to improve policies and procedures to safeguard the privacy of its customers when disposing of identifying information on pill bottle labels and other health information.”

The critical takeaways from the Rite Aid case were that the company had violated both HIPAA and FTC regulations. Given the volume of patient data that Walgreens manages, it stands to reason that HHS would at least look at this case because some of the same patient privacy violations raised in the Rite Aid settlement seem to apply to the Walgreens case.

There are other instances of big-time pharmacy HIPAA violations, such as CVS Caremark agreeing to pay a $2.25 million fine in 2009 and institute corrective action plans following an HHS investigation of potential HIPAA violations. CVS was shortly thereafter sued by six independent Texas pharmacies for mining patient data for business purposes, which is a separate patient privacy discussion for another day.

The Walgreens case is a rare one and doesn’t mean pharmacists can’t be trusted, but it does raise the question of what can be done to tighten up patient data privacy as it changes hands and the data becomes more integrated, and therefore more valuable.

Related Resources:

  • subhan amin

    The issue is more of an individual privacy breach rather than an overall distrust of the pharmacy practice. Most pharmacist are honest, trustworthy, health professionals that are governed by HIPPA law and abide by it. The information is given to the pharmacist so that they may use it for express purposes and even have a duty to check information to protect patient privacy from error or individuals with malicious intent. Every aspect of pharmacy duty has a check and balance. In this specific case if the pharmacist were governed by stricter law it would deter them for doing something like this. For example in NY state you can only take a five day phone in control prescription and must print the NY state official prescription serial number on the prescription. The doctor will have to send in the hard copy via mail and one received it must be attached to the hard copy of the phoned prescription for auditing purposes. As a check to see what prescriptions are being billed to the patients insurance they are allowed to retrieve a paper print out of their prescription log as long as they can present a government issued photo ID. Using this information a patient can keep track of what prescriptions were filled, what insurance was billed, and the tender information for payment method. If they see any discrepancies they an inquire with cooperate management or report obvious discrepancies to the Board of Pharmacy for further investigation.


Sign up for our free HealthITSecurity.com newsletter and stay up to date with tips and advice on:

  • BYOD
  • Data Security
  • VDI
  • Cloud Security

no, thanks

Our privacy policy