CVS Charged With Exposing Customers To ID Theft - InformationWeek

CVS Charged With Exposing Customers To ID Theft

The pharmacy allegedly dumped documents containing critical customer information in a dumpster behind a Texas store.

The Texas Attorney General took legal action against CVS Pharmacy on Tuesday for allegedly exposing its customers to identity theft.

Investigators with the Office of the Attorney General said they discovered that a CVS store in Liberty, Texas, exposed hundreds of its customers to identity theft by dumping a mass of customer records in a dumpster behind the store. Investigators also said they found several medical prescription forms that included each customer's name, address, date of birth, issuing physician, and the types of medication prescribed.

The documents, according to an advisory, also contained hundreds of active debit and credit card numbers, complete with expiration dates.

It's still unclear if any of the information has been used in identity theft scams.

According to court documents filed by Attorney General Greg Abbott, CVS violated a 2005 law requiring businesses to protect any customer records that contain sensitive customer information, including credit and debit card numbers.

"Identity theft is one of the fastest growing crimes in the United States," said Abbott in a written statement. "Texas law protects sensitive personal information in order to prevent this widespread crime. Texans can rest assured that we will continue aggressively cracking down on vendors who jeopardize the confidentiality of their clients' sensitive information."

CVS is accused of violating the 2005 Identity Theft Enforcement and Protection Act, which requires businesses to protect and properly dispose of documents that include clients' sensitive personal information, according to the advisory. Under the law, the Attorney General's office has the authority to seek penalties of up to $50,000 per violation.

The Attorney General also charged CVS with violating Chapter 35 of the Business and Commerce Code, which requires businesses to develop retention and disposal procedures for their clients' personal information. The law provides for civil penalties of up to $500 for each abandoned record.

This is the fourth identity theft enforcement action by the Texas Office of the Attorney General in recent weeks. Earlier this month, the Texas attorney general charged RadioShack with violating identity protection laws by dumping thousands of customer records in a garbage bin behind a Texas store.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
AI as a Human Right
Guest Commentary, Guest Commentary,  3/8/2019
How to Become a Master Scrum Master
John Edwards, Technology Journalist & Author,  2/28/2019
TaylorMade IT Spin-Off Taps Cloud Database
Jessica Davis, Senior Editor, Enterprise Apps,  2/15/2019
Register for InformationWeek Newsletters
Current Issue
Security and Privacy vs. Innovation: The Great Balancing Act
This InformationWeek IT Trend Report will help you better understand and address the growing challenge of balancing the need for innovation with the real-world threats and regulations.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll