In a related action, Rite Aid's pharmacy chain also agreed to pay $1 million to resolve Department of Health and Human Services (HHS) allegations that it failed to protect customers' sensitive health information. Rite Aid operates the third largest pharmacy chain in the United States, with some 4,900 retail pharmacies as well as an online pharmacy.
"Companies that say they will protect personal information shouldn't be tossing patient prescriptions and employment applications in an open Dumpster," said Jon Leibowitz, Chairman of the Federal Trade Commission, in a statement. "We hope other organizations will learn from the FTC's action against Rite Aid to take their obligation to protect consumers' personal information seriously."
The FTC initiated its investigation after news reports circulated about Rite Aid pharmacies using open waste receptacles to discard trash containing consumers' personal information, such as pharmacy labels and job applications. HHS began a concurrent investigation into Rite Aid's disposal of health information protected by the Health Insurance Portability and Accountability Act (HIPAA).
This marks the second time the FTC and HHS coordinated investigations and settlements, the first instance in February 2009 involving CVS Caremark, which paid $2.25 million to settle similar charges.
According to the FTC's complaint, Rite Aid failed to use appropriate procedures in the following areas:
- Disposing of personal information
- Adequately training employees
- Assessing compliance with its disposal policies and procedures
- Employing a reasonable process for discovering and remedying risks to personal information
The FTC settlement order requires Rite Aid to establish a comprehensive information security program to protect the security, confidentiality, and integrity of the personal information it collects from consumers and employees. It also requires the company to obtain -- every two years for the next 20 years -- an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. The order also bars future misrepresentations of the company's security practices.
The HHS settlement requires Rite Aid pharmacies to establish policies and procedures for disposing of protected health information, create a training program for handling and disposing of patient information, conduct internal monitoring, and obtain an independent assessment of its compliance for three years. Rite Aid also will pay HHS $1 million to settle the matter.
The agreement will be subject to public comment for 30 days, until August 27, 2010. To submit a comment electronically, click here.