Privacy group accuses grocery-store chain of misusing customers' pharmacy data.
The Privacy Rights Clearinghouse, a San Diego-based nonprofit consumer advocacy group, filed a lawsuit last week alleging that supermarket chain Albertsons and its pharmacy units, SavOn, Osco, and Jewel-Osco, violated the privacy rights of thousands of customers by selling confidential medical information to drug companies.
Albertsons responded in a statement: "We highly value and respect the privacy of our pharmacy customers and do not sell, nor have we ever sold, their private information. We consider the allegations in this complaint to be false and totally without merit--and we will vigorously defend ourselves against them."
A number of leading pharmaceutical companies are also named in the lawsuit, initially as "Doe Defendants." These alleged "aiders and abettors" include Allergan, Aventis, AstraZeneca, Bristol-Meyers Squibb, Eli Lilly, Galderma, GlaxoSmithKline, Merck, Novartis, Otsuka America Pharmaceuticals, Pfizer, Proctor & Gamble, Schering Plough, TAP Pharmaceutical Products, Teva Pharmaceutical, and Wyeth.
Eli Lilly, Merck, and Pfizer did not respond to requests for comment.
The lawsuit alleges that Albertsons improperly used and disclosed medical information to assist drug companies in the marketing of pharmaceutical products. The marketing takes the form of mailings and phone calls, and appears to be prescription renewal reminders or suggestions about alternate medications.
Jeffrey R. Krinsk, an attorney with San Diego-based Finkelstein & Krinsk, the law firm representing the Privacy Rights Clearinghouse, says that the marketing messages are deceptive. "Recipients are led to believe that it's part of a program that's directed at their welfare, but it's directed to enhancing drug consumption," he says.
Under the Health Insurance Portability and Accountability Act, this practice is not illegal. While the federal medical privacy law prohibits the use of health information for marketing purposes without patient authorization, it exempts certain activities from the statutory definition of "marketing." But California's Confidentiality of Medical Information Act, conceived to close this loophole in HIPAA, defines marketing in more expansive terms.
"The specific California code provision that we're dealing with prohibits the pharmacy from selling, sharing, or otherwise using any medical information for any purpose," Krinsk explains. "The critical distinction that they make, that we believe is of no consequence, is they say that they don't sell the information. They claim that the process that they employ doesn't constitute selling or using of information. Rather than selling the names and addresses they instead either handle [the data] internally or handle some of it internally and then contract out to third-party administrators. We allege that's a distinction without a difference."
Litigation in the CVS case continues despite the passage of a year without significant activity. The case has been referred to a special master and is currently under advisement. Elenysys has since changed its named to Adheris. The renamed data-management company is working with Albertsons, claims Krinsk, who is also involved in the case against CVS.
"The big issue in all these cases is deception," says John L. Hines, Jr., a partner in the Internet and Technology Practice Group at Chicago law firm Sachnoff & Weaver. "You say you're going to do one thing and you don't do it."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.