Walgreens Penalty Leads Breach Roundup

Company to Appeal $1.4 Million Ruling
Walgreens Penalty Leads Breach Roundup

In this week's breach roundup, Walgreens plans to appeal a $1.4 million penalty after a breach involving a pharmacist. Also, Stanford University is asking all users of its computer systems to change their passwords following a breach of its information technology infrastructure.

See Also: OnDemand Webinar | Utilizing SIEM and MDR for Maximum Protection

Walgreens to Appeal $1.4 Million Penalty

A jury in Marion County, Ind., has awarded a woman $1.4 million after it found that a pharmacist at a Walgreens store in Indianapolis inappropriately reviewed and shared the woman's prescription history. The drugstore chain plans to appeal the ruling in the civil lawsuit.

The pharmacist reviewed the prescription history of her husband's ex-girlfriend, according to the Indianapolis Star. The suit claimed Walgreens was negligent in training and supervising the pharmacist.

In a statement sent to Information Security Media Group, Walgreens said: "We take seriously our responsibility to safeguard the privacy of medical records in our possession. The pharmacist in this case admitted she was aware of our strict privacy policy and knew she was violating it."

The pharmacist was disciplined "appropriately" for her actions, the company said.

Walgreens also said in its statement: "We believe it is a misapplication of the law to hold an employer liable for the actions of one employee who knowingly violates company policy. We intend to appeal the ruling."

Stanford Breach Sparks Password Reset

Stanford University is asking all users of its computer systems to change their passwords following a breach of its information technology infrastructure.

The university is asking those with a SUNet ID to change their passwords, according to a statement posted to the school's website, which provides sparse details about the incident. Hospital employees and School of Medicine employees with hospital accounts are encouraged to have different passwords for their SUNet and hospital accounts, the statement said.

"Stanford treats information security with the utmost seriousness and is continually upgrading its defenses against cyber-attacks," the statement said.

This is the sixth breach Stanford has experienced in recent years (see: Fifth Stanford Breach Leads Roundup).

X-Rays Stolen from Storage Warehouse

Henry Ford Health System in Michigan is notifying more than 15,000 patients that old X-ray films were stolen from a warehouse where they were being stored prior to destruction.

The X-rays were taken between 1996 and 2003, according to a statement issued by the healthcare system. Compromised information may have included names, medical record numbers, age or date of birth, building location where X-ray was taken and the X-ray image itself.

The theft occurred at a storage warehouse owned and operated separately from Henry Ford, the provider organization said. A warehouse employee was arrested in connection with the theft.

The X-ray film has not yet been recovered.

Affected patients will not receive identity theft monitoring services because the films did not contain any personal identifying information that could be used for identity theft, according to an FAQ.

Hospital Bills Sent to Wrong Addresses

Clark Memorial Hospital in Jeffersonville, Ind., is notifying about 1,100 patients of a breach resulting from a mailing error involving a vendor.

Clark Memorial uses Mail Louisville Inc., to process and mail billing statements, according to a statement issued by the hospital. On July 16, the hospital learned that through a processing error at the vendor, the billing statements were sent to the wrong addresses.

The information on the statements included patient name, date of service, general category of service, a randomly assigned hospital account number, amount charged, amount paid by the patient's insurance company and the amount remaining due on the account.

"The statement did not include detailed clinical information, such as diagnosis, or Social Security number, date of birth, or insurance account numbers," the statement said.

The hospital has set up a call center to respond to patient questions. It's also assessing its current relationship with Mail Louisville in light of this incident, the statement said.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.asia, you agree to our use of cookies.