Albertsons Sued Over Customer-Data Privacy - InformationWeek
Software // Information Management
05:28 PM
Connect Directly
[Dark Reading Crash Course] Finding & Fixing Application Security Vulnerabilitie
Sep 14, 2017
Hear from a top applications security expert as he discusses key practices for scanning and securi ...Read More>>

Albertsons Sued Over Customer-Data Privacy

Privacy group accuses grocery-store chain of misusing customers' pharmacy data.

The Privacy Rights Clearinghouse, a San Diego-based nonprofit consumer advocacy group, filed a lawsuit last week alleging that supermarket chain Albertsons and its pharmacy units, SavOn, Osco, and Jewel-Osco, violated the privacy rights of thousands of customers by selling confidential medical information to drug companies.

Albertsons responded in a statement: "We highly value and respect the privacy of our pharmacy customers and do not sell, nor have we ever sold, their private information. We consider the allegations in this complaint to be false and totally without merit--and we will vigorously defend ourselves against them."

A number of leading pharmaceutical companies are also named in the lawsuit, initially as "Doe Defendants." These alleged "aiders and abettors" include Allergan, Aventis, AstraZeneca, Bristol-Meyers Squibb, Eli Lilly, Galderma, GlaxoSmithKline, Merck, Novartis, Otsuka America Pharmaceuticals, Pfizer, Proctor & Gamble, Schering Plough, TAP Pharmaceutical Products, Teva Pharmaceutical, and Wyeth.

Eli Lilly, Merck, and Pfizer did not respond to requests for comment.

The lawsuit alleges that Albertsons improperly used and disclosed medical information to assist drug companies in the marketing of pharmaceutical products. The marketing takes the form of mailings and phone calls, and appears to be prescription renewal reminders or suggestions about alternate medications.

Jeffrey R. Krinsk, an attorney with San Diego-based Finkelstein & Krinsk, the law firm representing the Privacy Rights Clearinghouse, says that the marketing messages are deceptive. "Recipients are led to believe that it's part of a program that's directed at their welfare, but it's directed to enhancing drug consumption," he says.

Under the Health Insurance Portability and Accountability Act, this practice is not illegal. While the federal medical privacy law prohibits the use of health information for marketing purposes without patient authorization, it exempts certain activities from the statutory definition of "marketing." But California's Confidentiality of Medical Information Act, conceived to close this loophole in HIPAA, defines marketing in more expansive terms.

"The specific California code provision that we're dealing with prohibits the pharmacy from selling, sharing, or otherwise using any medical information for any purpose," Krinsk explains. "The critical distinction that they make, that we believe is of no consequence, is they say that they don't sell the information. They claim that the process that they employ doesn't constitute selling or using of information. Rather than selling the names and addresses they instead either handle [the data] internally or handle some of it internally and then contract out to third-party administrators. We allege that's a distinction without a difference."

This isn't the first case involving retail stores and alleged misuse of medical information. In 1998, according to a Massachusetts Superior Court memorandum, the drug-store chain CVS allegedly contracted with data-management company Elensys Care Services to send direct mail pitches to CVS customers promoting new pharmaceutical products. The solicitations, on CVS letterhead, were sent by Elensys and paid for by pharmaceutical companies such as Glaxo and Merck, the memorandum alleges, in direct violation of CVS's privacy policy.

Litigation in the CVS case continues despite the passage of a year without significant activity. The case has been referred to a special master and is currently under advisement. Elenysys has since changed its named to Adheris. The renamed data-management company is working with Albertsons, claims Krinsk, who is also involved in the case against CVS.

"The big issue in all these cases is deception," says John L. Hines, Jr., a partner in the Internet and Technology Practice Group at Chicago law firm Sachnoff & Weaver. "You say you're going to do one thing and you don't do it."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll