The Privacy Rights Clearinghouse, a San Diego-based nonprofit consumer advocacy group, filed a lawsuit last week alleging that supermarket chain Albertsons and its pharmacy units, SavOn, Osco, and Jewel-Osco, violated the privacy rights of thousands of customers by selling confidential medical information to drug companies.

Albertsons responded in a statement: "We highly value and respect the privacy of our pharmacy customers and do not sell, nor have we ever sold, their private information. We consider the allegations in this complaint to be false and totally without merit--and we will vigorously defend ourselves against them."

A number of leading pharmaceutical companies are also named in the lawsuit, initially as "Doe Defendants." These alleged "aiders and abettors" include Allergan, Aventis, AstraZeneca, Bristol-Meyers Squibb, Eli Lilly, Galderma, GlaxoSmithKline, Merck, Novartis, Otsuka America Pharmaceuticals, Pfizer, Proctor & Gamble, Schering Plough, TAP Pharmaceutical Products, Teva Pharmaceutical, and Wyeth.

Eli Lilly, Merck, and Pfizer did not respond to requests for comment.

The lawsuit alleges that Albertsons improperly used and disclosed medical information to assist drug companies in the marketing of pharmaceutical products. The marketing takes the form of mailings and phone calls, and appears to be prescription renewal reminders or suggestions about alternate medications.

Jeffrey R. Krinsk, an attorney with San Diego-based Finkelstein & Krinsk, the law firm representing the Privacy Rights Clearinghouse, says that the marketing messages are deceptive. "Recipients are led to believe that it's part of a program that's directed at their welfare, but it's directed to enhancing drug consumption," he says.

Under the Health Insurance Portability and Accountability Act, this practice is not illegal. While the federal medical privacy law prohibits the use of health information for marketing purposes without patient authorization, it exempts certain activities from the statutory definition of "marketing." But California's Confidentiality of Medical Information Act, conceived to close this loophole in HIPAA, defines marketing in more expansive terms.

"The specific California code provision that we're dealing with prohibits the pharmacy from selling, sharing, or otherwise using any medical information for any purpose," Krinsk explains. "The critical distinction that they make, that we believe is of no consequence, is they say that they don't sell the information. They claim that the process that they employ doesn't constitute selling or using of information. Rather than selling the names and addresses they instead either handle [the data] internally or handle some of it internally and then contract out to third-party administrators. We allege that's a distinction without a difference."

This isn't the first case involving retail stores and alleged misuse of medical information. In 1998, according to a Massachusetts Superior Court memorandum, the drug-store chain CVS allegedly contracted with data-management company Elensys Care Services to send direct mail pitches to CVS customers promoting new pharmaceutical products. The solicitations, on CVS letterhead, were sent by Elensys and paid for by pharmaceutical companies such as Glaxo and Merck, the memorandum alleges, in direct violation of CVS's privacy policy.

Litigation in the CVS case continues despite the passage of a year without significant activity. The case has been referred to a special master and is currently under advisement. Elenysys has since changed its named to Adheris. The renamed data-management company is working with Albertsons, claims Krinsk, who is also involved in the case against CVS.

"The big issue in all these cases is deception," says John L. Hines, Jr., a partner in the Internet and Technology Practice Group at Chicago law firm Sachnoff & Weaver. "You say you're going to do one thing and you don't do it."