CVS Charged With Exposing Customers To ID Theft

The pharmacy allegedly dumped documents containing critical customer information in a dumpster behind a Texas store.

Sharon Gaudin, Contributor

April 19, 2007

2 Min Read
InformationWeek logo in a gray background | InformationWeek

The Texas Attorney General took legal action against CVS Pharmacy on Tuesday for allegedly exposing its customers to identity theft.

Investigators with the Office of the Attorney General said they discovered that a CVS store in Liberty, Texas, exposed hundreds of its customers to identity theft by dumping a mass of customer records in a dumpster behind the store. Investigators also said they found several medical prescription forms that included each customer's name, address, date of birth, issuing physician, and the types of medication prescribed.

The documents, according to an advisory, also contained hundreds of active debit and credit card numbers, complete with expiration dates.

It's still unclear if any of the information has been used in identity theft scams.

According to court documents filed by Attorney General Greg Abbott, CVS violated a 2005 law requiring businesses to protect any customer records that contain sensitive customer information, including credit and debit card numbers.

"Identity theft is one of the fastest growing crimes in the United States," said Abbott in a written statement. "Texas law protects sensitive personal information in order to prevent this widespread crime. Texans can rest assured that we will continue aggressively cracking down on vendors who jeopardize the confidentiality of their clients' sensitive information."

CVS is accused of violating the 2005 Identity Theft Enforcement and Protection Act, which requires businesses to protect and properly dispose of documents that include clients' sensitive personal information, according to the advisory. Under the law, the Attorney General's office has the authority to seek penalties of up to $50,000 per violation.

The Attorney General also charged CVS with violating Chapter 35 of the Business and Commerce Code, which requires businesses to develop retention and disposal procedures for their clients' personal information. The law provides for civil penalties of up to $500 for each abandoned record.

This is the fourth identity theft enforcement action by the Texas Office of the Attorney General in recent weeks. Earlier this month, the Texas attorney general charged RadioShack with violating identity protection laws by dumping thousands of customer records in a garbage bin behind a Texas store.

About the Author

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights