On July 27, 2010, the FTC and Department of Health & Human Services (HHS) jointly announced the settlement of charges against Rite Aid for allegedly failing to protect consumer and patient information. This action is significant for several reasons: it represents another coordinated enforcement action in the health care sector; it bolsters the FTC’s claim to jurisdiction with respect to employee information; and it requires Rite Aid to pay $1 million to settle with HHS.
The complaint against Rite Aid asserts that from 2006 through 2008 there were numerous media reports of both employee and consumer/patient information discarded in unsecured, publicly accessible trash dumpsters. According to the complaint, the discarded documents included a wide range of sensitive employee and consumer information, including Social Security numbers, credit card numbers, dates of birth, medication dosage, and insurance information. Together, the FTC and HHS alleged that Rite Aid failed to 1) implement policies and procedures to properly dispose of this information; 2) train employees in proper disposal and destruction of such documents; 3) conduct regular assessments of compliance with existing policies; and 4) implement audit or review procedures to discover and remedy risks to this information.
The result is a proposed consent order from each agency involving a now-familiar list of obligations. Consistent with prior FTC enforcement actions for failing to secure personal information, Rite Aid is obliged to establish a comprehensive information security program to protect employee and consumer information, including a risk assessment, employee training, implementation of appropriate safeguards, and proper management of service providers with access to personal information. The HHS settlement requires similar steps, while imposing an independent assessment of compliance for three years. The FTC settlement includes an independent assessment every other year over the next two decades.
Within the health care sector, this news indicates the second significant action in 13 months by the agencies against large providers who allegedly did not properly implement existing policies. After years of wondering whether there would be enforcement in the HIPAA space, we now have an answer. But the implications of this enforcement action apply beyond the health care sector because this action reflects another apparently successful effort by the FTC to assert its Section 5 enforcement authority over not just consumer data, but also employee information.
Companies across industry sectors should verify what information is being collected, how that information is being handled, including disposal, and make sure that appropriate policies are fully implemented.
Legal News Alert is part of our ongoing commitment to providing up-to-the-minute information about pressing concerns or industry issues affecting our clients and our colleagues. If you have any questions about this update or would like to discuss this topic further, please contact your Foley attorney or the following:
Peter F. McLaughlin
Andrew B. Serwin
Chair, Privacy, Security & Information Management Practice
San Diego, California