Healthcare Information Security

Walgreens pharmacist patient data breach raises questions

Healthcare organizations and their patients can add pharmacists as one more link in the data chain to be wary of after a former Kentucky Walgreens pharmacist was sentenced to 25 months in prison on Friday for, among other charges, identity theft.

Elizabeth A. Smith originally pleaded guilty to using patient and doctor names as well as Drug Enforcement Agency (DEA) numbers to create fraudulent prescriptions for controlled substances such as hydrocodone in United States District Court, according to, on Nov. 19. While keeping the pills for her own personal use is disturbing, the fact that Smith filled prescriptions without patient or doctor consent should be especially eye-opening for healthcare organizations. cited an example of how she used the patient data:

On January 5, 2012, while working at a Walgreens in Madisonville, Kentucky, Smith used patient T.R.’s name, and doctor S.S.’s name and DEA number, without T.R.’s or S.S.’s knowledge or authority to order a fraudulent prescription for 180 hydrocodone pills. Smith entered the prescription in the Walgreens computer system and reduced the amount due for the prescription from $131.37 to $5. Smith paid the $5 with her own personal credit card.

This, of course, isn’t the first time that a national pharmacy chain has taken heat for a protected health information (PHI) breach. Back in 2010, a joint investigation of Rite Aid’s patient privacy procedures by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) led to a $1 million settlement. Rite Aid had to take “corrective action to improve policies and procedures to safeguard the privacy of its customers when disposing of identifying information on pill bottle labels and other health information.”

The critical takeaways from the Rite Aid case were that the company had violated both HIPAA and FTC regulations. Given the volume of patient data that Walgreens manages, it stands to reason that HHS would at least look at this case because some of the same patient privacy violations raised in the Rite Aid settlement seem to apply to the Walgreens case.

There are other instances of big-time pharmacy HIPAA violations, such as CVS Caremark agreeing to pay a $2.25 million fine in 2009 and institute corrective action plans following an HHS investigation of potential HIPAA violations. CVS was shortly thereafter sued by six independent Texas pharmacies for mining patient data for business purposes, which is a separate patient privacy discussion for another day.

The Walgreens case is a rare one and doesn’t mean pharmacists can’t be trusted, but it does raise the question of what can be done to tighten up patient data privacy as it changes hands and the data becomes more integrated, and therefore more valuable.