Drugstore Incidents in Baltimore Offer Lessons.
Retail pharmacy chain Rite Aid on June 3 issued a statement to notify the media that an undisclosed number of customers of several of its Baltimore area stores were potentially affected by breaches of their protected health information as a result of the looting and riots that occurred in late April. Rite Aid says there is no evidence yet that any customer information has been misused. But as a precaution, the company has engaged Kroll, a provider of risk mitigation and response services, “to alert impacted customers via a letter of notification and share with them the proactive measures it has taken to guard against identity theft.”
A Department of Health and Human Services’ Office for Civil Rights spokeswoman highlights HIPAA’s relevant requirements. “The HIPAA Privacy Rule requires a covered entity to have in place appropriate physical and other safeguards to protect the privacy of PHI, including reasonable safeguards to protect against any intentional or unintentional use or disclosure in violation of the privacy rule,” she notes. “Covered entities are also required to address physical and other safeguards under the Security Rule, which includes standards for a facility security plan.”
To help deter medical ID fraud, Ann Patterson, senior vice president and program director of the Medical Identity Fraud Alliance, suggests that affected pharmacies, especially the larger chains with more sophisticated pharmacy information systems, set up alerts to “flag” refill orders and pick-ups for prescription numbers that were impacted by the lootings. Those alerts could include reminders for store personnel to ask customers for ID when picking up prescriptions. “Anytime someone is trying to refill or pick up a prescription, it’s good to authenticate the ID of that person,” she says. “But in the aftermath of lootings and thefts, you really need to do that.”
Patterson also suggests that as a precaution, individuals who are notified by the pharmacies about the looting-related breaches should closely monitor their Explanation of Benefits statements from health insurers for suspicious transactions. That includes unfamiliar transactions that might indicate that someone other than the individual has received medical treatment or prescription medicines using the breach victim’s ID.
Click here to read the full article.
June 5, 2015 by Marianne Kolbasuk McGee, HealthcareInfoSecurity