Venable partner Milo Cividanes was quoted in a recent story published in BNA's Privacy & Security Law Report about CVS’ recent resolution agreement with the Department of Health and Human Services and settlement with the Federal Trade Commission, settling alleged Health Insurance Portability and Accountability Act (HIPAA) and privacy policy violations.
Specifically, both FTC's and HHS's charges stem from allegations that CVS Caremark pharmacies nationwide were tossing into open dumpsters a multitude of sensitive personal health and financial information.
According to HHS, the CVS resolution agreement is only the second the department has entered into to resolve HIPAA privacy violation allegations, demonstrating the seriousness of violations.
“Data disposal remains the Achilles' Heel of data security,” said Cividanes. “People tend to place greater effort into safeguarding the personal data that is currently in use than the data that has become obsolete and targeted for disposal. So they focus upon protecting the collection, transfer, and storage of personal data. They tend to forget that the ‘lifecycle’ of personal data does not end with the decision to dispose of the data, but rather ends with the data's proper disposal.”