Victims of CVS Caremark Data Breach Filed a Class Action Lawsuit for Damages

The patients of CVS Caremark filed a lawsuit against CVS and its mailing vendor, Fiserve, on March 21, 2018 in Ohio federal court. The legal action was because of a healthcare data breach that exposed the protected heath information of the patients. Allegedly, the privacy breach occurred when Fiserve made a mailing error in July/August 2017 that affected about 6,000 patients.

In July 2017, the Ohio HIV Drug Assistance Program (PhDAP) contracted CVS Caremark to be its pharmacy benefits manager. The job of CVS Caremark is to give eligible patients HIV medications and send them communications about prescriptions. Fiserve is CVS Caremark’s mailing vendor that sent letters to their patients in July/August 2017. The mailing contained membership cards and information on the process of getting HIV medications.  The complaint in the lawsuit was the exposure of HIV-related information information through the clear plastic windows of the envelopes used in the mailing. This allowed postal service workers, family members, friends and roommates to view the recipient’s HIV status.

The Ohio Department of Health policies state that HIV-related information should only be sent using non-window envelopes. Hence, the mailing violated this particular policy as well as the Health Information Portability and Accountability Act (HIPAA) Rules. Another allegation in the lawsuit is that CVS Caremark did not submit a breach report to OCR regarding the incident and did not send notifications to the affected individuals. This violates the HIPAA breach notification rule which requires the reporting of such breaches to the Department of Health and Human Services’ Office for Civil Rights within 60 days of the breach discovery. In this regard, the plaintiffs are looking forward to get punitive and compensatory damages and coverage of their legal costs.

A similar breach case occurred weeks before involving the mailing vendor of Aetna. HIV information was also leaked in a mailing error using envelopes with clear plastic windows. The breach affected 12,000 individuals. Aetna paid $17,161,200 to settle the class action lawsuit filed on behalf of victims and another $1.15 million to settle the fine issued by the New York attorney general. Aetna is currently suing its mailing vendor to recoup some of the costs.