On February 18, 2009, the FTC announced that it settled with CVS Caremark Corporation, the parent company of CVS Pharmacy, over allegations that the company failed reasonably to protect the sensitive financial and medical information of its customers and employees. The FTC brought the action together with the Office of Civil Rights of the Department of Health and Human Services.

Under the settlement, CVS Pharmacy will pay $2.25 million to HHS to settle allegations that it violated the Health Insurance Portability and Accountability Act, and both CVS Caremark and CVS Pharmacy will implement various information security procedures required under the HHS resolution agreement and the FTC consent order. This is the FTC’s twenty fourth case challenging the alleged failure by a company to implement reasonable information security practices.

This is the first FTC data security case: (1) involving a health provider, (2) proceeding jointly with HHS, and (3) challenging the security of employee data. It makes good on the FTC’s promise to bring enforcement actions involving employee data, and it shows that the FTC can and will work with other agencies to resolve security concerns. It is not unreasonable to expect that, after working with the FTC on this enforcement action, HHS will become more active in bringing enforcement actions. Kelley Drye’s Privacy and Information Security practice group has prepared the attached Client Advisory discussing this settlement.

FTC and Department of Health and Human Services Settle with CVS over Allegations that the Company Failed to Protect the Privacy of Customer and Employee Personal Information