PHI Exposed Due to Break-ins at CVS Pharmacy and Walgreens

CVS Pharmacy is notifying some patients about the loss of some of their private data and protected health information (PHI) after a number of incidents took place at its pharmacies from May 27, 2020 to June 8, 2020. In the course of that time period, a few of its pharmacies had suffered looting and vandalism occurrences. Unauthorized people got access to a number of its outlets and took filled up prescriptions contained in pharmacy waiting bins. The thieves also potentially stole the lost vaccine consent forms and printed prescriptions.

The following types of data may have been compromised: names, birth dates, addresses, names of medication, prescriber data, and primary care provider details. There is no report received up to now about any improper use of customer data.

CVS Pharmacy has submitted a collective report of the incidents to the HHS’ Office for Civil Rights indicating that 21,289 people had been affected.

Series of Break-ins at Walgreens and Theft of PHI

Walgreens Pharmacy sent in a report of similar incidents that happened at its pharmacies in the same period of time. Based on the breach notification submitted to the Attorney General’s office in California, different groups of people broke into the stores of Walgreens in a number of locations from May 26, 2020 to June 5, 2020. The thieves stole a lot of stuff from the outlets, a few of which included the private data and PHI of its clients.

The stolen items included a few hard drives that were linked to the cash registers, an automation gadget utilized for the printout of prescription labels, filled up prescriptions for collection, and a number of paper documents. There were no financial details and Social Security numbers compromised.

The unauthorized individuals obtained varying data of customers and could have contained these types of data: First and last names, telephone number, addresses, birth dates /age, prescriber name, prescription number, name of health plan and group number, vaccination data (such as eligibility details), medication name (which include description, dosage, and quantity), balance rewards number, photo ID number, driver’s license number, military ID number, state ID number, passport (for example for consumers buying drugs like pseudoephedrine) and email address.

After the break-ins, Walgreens promptly took action to avoid fraud, like closing out and re-entering affected prescriptions and reversal of insurance claims for filled out prescriptions. The number of persons affected is uncertain at this time. Walgreens stated that the incidents happened at about 180 locations.

About Christine Garcia 1310 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at