Rite Aid, the third largest pharmacy chain in the country, agreed to settle government charges that it failed to protect sensitive medical and financial information belonging to its customers and employees, the Federal Trade Commission announced Wednesday.
The case was a dual investigation by the FTC and the Department of Health and Human Services, spurred by news reports that pharmacy labels and job application forms were being thrown into open dumpsters at Rite Aid pharmacies, the FTC said.
According to the FTC, Rite Aid failed to appropriately dispose of personal information, adequately train employees, or have a reasonable process for discovering risks to personal data.
In its settlement agreement with the HHS over alleged HIPAA violations, Rite Aid will pay $1 million. The company must also establish procedures for disposing of protected health information, create a training program for handling of patient data, conduct internal monitoring and obtain an independent assessment of its compliance for three years.
In its settlement with the FTC, Rite Aid must establish a comprehensive information security program and obtain independent audits of its program for the next 20 years.
The settlement with Rite Aid is the second case in which the FTC and HHS coordinated their investigations. In February 2009, the agencies settled similar complaints against CVS Caremark.