Healthcare Information Security

HIPAA and Compliance News

CVS agrees to $250K data privacy resolution with Maryland AG

By Patrick Ouellette

- CVS Pharmacy, Inc. and Maryland CVS Pharmacy, LLC reached a $250,000 agreement this week with Attorney General Douglas F. Gansler’s Consumer Protection Division because it didn’t do enough protect patient data in the eyes of the AG.

This settlement also resolved allegations that CVS sold and offered for sale products after their expiration dates had passed, but it’s noteworthy that it’s taken five years since the original accusations that dated back to 2008 to resolve the issue. CVS has since said in a statement that it agreed to the settlement to avoid the time and expense of further legal proceedings.

The Consumer Protection Division had received complaints that CVS pharmacies had been discarding records containing patients’ protected health information (PHI) in open dumpsters. This violated Maryland’s Consumer Protection Act, which says it’s an unfair and deceptive trade practice for a business to attempt to dispose of records containing its customers’ PHI without taking reasonable steps to protect against unauthorized access to or use of them.

“This settlement speaks to the health and wellbeing of all consumers,” said Attorney General Gansler to “Expired products don’t belong on store shelves and we know that individuals’ personal information, if exposed, could lead to serious problems.”

Under the terms of the settlement, according to, CVS will maintain, revise and enforce new policies for the disposal of protected health information, conduct internal monitoring, implement an employee training program for handling and disposing of patient information and report any noncompliance to the division for three years.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...