theDataMap

Documenting all the places
personal data goes.

healthDataMap


Legend: with your name, without your name.
Click on a circle above for names of organizations and details of data shared.


Retail and 3rd-party on-site pharmacies receive data from you and from physicians, and provide data to pharmacy benefits managers and clearing houses for payment, and to pharmaceutical companies and prescription analytics companies for marketing purposes.

Laws require a prescription as a condition of acquiring controlled medications. The information on a prescription includes your name, date of birth, and address, the date, and the name of the physician and kind and dosage of the medication.

Examples

Kabafusion purchases statewide personal hospital discharge data from at least CA [source]. See more information about the fields of data shared, an example of matching real names to the records in statewide discharge data, and which states use standards less than the HIPAA standard.

  

Crescent Health Inc., Walgreens had a data breach in 2013, in California. Desktop computer hardware was stolen from the Anaheim Billing Center of Crescent Healthcare, Inc. on December 28, 2012. The theft was discovered on Monday, December 31 and reported to law enforcement. Names, Social Security numbers, health insurance identification numbers, health insurance information, dates of birth, diagnoses, other medical information, disability codes, addresses, and phone numbers may have been exposed.UPDATE(04/03/2013): Over 100,000 people were affected. (100000 records involved) [source].

  

CVS Caremark Corp. had a data breach in 2011, in Rhode Island. According to a complaint filed against CVS, CVS used the confidential information of customers to push certain drugs. CVS is accused of receiving payment for promoting certain pharmaceutical drugs to targeted groups of people. CVS may have violated consumer privacy by sending promotions for specific medications to the physicians of customers. The complaint was filed on March 7. [source]

  

CVS Caremark had a data breach in 2011, in Rhode Island. The theft of paper records may have resulted in the exposure of patient information. The theft may have occurred on August 13, 2012 and was reported or discovered on November 16, 2012. [source]

  

CVS Caremark had a data breach in 2012, in Rhode Island. The information was breached via Paper/Films. [source]

  

CVS Health had a data breach in 2015, in Rhode Island. The information was breached via Desktop Computer. [source]

  

CVS Health had a data breach in 2017, in Rhode Island. The information was breached via Paper/Films. [source]

  

CVS Pharmacy, Imperial Beach had a data breach in 2015, in California. A pharmacy technician at the CVS Pharmacy on Saturn Boulevard in Imperial Beach California has admitted to stealing customer records and providing the information to her property manager who then used the information to gain credit and credit cards. An further investigation is currently being conducted. The California State Board of Pharmacy has suspended the license of the pharmacy tech, Nicole Yvonne Flores and CVS no longere employs Ms. Flores. [source]

  

CVS Pharmacy had a data breach in 2007, in Texas. [source]

  

CVS/Caremark had a data breach in 2014, in Georgia. [source]

  

Evolution Nature Corp. dba The Evolution Store had a data breach in 2014, in New York. Evolution Nature Corp., dba The Evolution Store contacted customers regarding a data breach to their online stores affecting customer credit card information.The company received a complaint of credit card fraud from a customer and launched an investigation by a data forensics expert. The investigation revealed that the administrative portion of the Evolution e-commerce site was accessed by an unauthorized third party that was using administrative credentials exposing customer order information.The information exposed included names, email addresses, phone numbers, billing addresses, shipping addresses, order information, and credit/debit card information, including the CVV numbers on the backs of the cards.For those affected, the company is offering AllClear Secure for 12 months at no cost. [source]

  

LaCie USA had a data breach in 2014, in Oregon. The information was breached via Website. [source]

  

Longs Drug Stores California Inc. had a data breach in 2007, in California. A data storage tape containing backup data relating to pharmacy transactions was stolen during a store burglary. It contained customer names, prescription information and insurance plan membership information. Some membership numbers were or contained Social Security numbers. [source]

  

Main Street Pharmacy had a data breach in 2012, in California. A doctor was convicted of prescription drug fraud, identity theft, illegal possession of controlled substances, and burglary. She was arrested in January 2009 following a yearlong narcotics investigation and subsequently pleaded guilty to 272 felony counts. The doctor had a drug addiction. She forged the signatures of several doctors and stole the identity of at least 15 patients in order to maintain her drug habit. She was sentenced to a year in jail, five years of probation, completion of a drug rehabilitation program, and completion of 1,000 hours of community service. The dishonest doctors license was also permanently revoked. [source]

  

Omnicare Inc. had a data breach in 2011, in Kentucky. [source]

  

Rite Aid Corporation had a data breach in 2010, in Pennsylvania. [source]

  

Rite Aid Corporation had a data breach in 2012, in Pennsylvania. A customer using RiteAids mobile app to check a prescription noticed that he was able to access the names, addresses, and prescription records of other customers. The customer was able to identify some of the problems by using his computer science background. He noticed there was no secure login tied to web service calls made from the smartphone application. The customer was able to correspond with several RiteAid representatives and RiteAid began to address some of the security concerns. [source]

  

RIte Aid Corporation had a data breach in 2012, in Pennsylvania. Rite Aid paid one million dollars to settle HIPAA privacy violations. Rite Aid also agreed to update corporate policies and procedures so that patient medical information would be properly disposed, employees would be properly trained in disposal of patient information, and employees would be held accountable if they did not dispose of patient information properly. [source]

  

Rite Aid Pharmacy had a data breach in 2014, in Washington. Rite Aid Pharmacy in Milton Washington notified customer of a data breach, when someone stole a "stack of expired prescription records from a Rite Aid pharmacy in Milton, the company announced Wednesday". [source]

  

Rite Aid had a data breach in 2017, in Pennsylvania. Pharmacy chain Rite Aid has discovered unauthorized individuals gained access to the e-commerce platform of its online store and stole sensitive information of its customers over a period of 10 weeks. The attackers gained access to, and stole, personal information and credit/debit card details.An investigation into the breach revealed that access to the platform was first gained on January 30, 2017 and continued until April 11, 2017 when the intrusion was detected and unauthorized access was blocked.During the time that unauthorized individuals had access to its e-commerce platform they obtained customers names, addresses and payment card information including card numbers expiry dates and CVV numbers. The incident impacts all customers who used the online store between the above dates and manually entered their payment card details. [source]

  

Several Indianapolis pharmacies had a data breach in 2006, in Indiana. Earlier this year a local tV reporter from WTHR found that dozens of pharmacies disposed of customer records in unsecured garbage bins. Now the Indiana board of Pharmacy has launched an investigation of 30 pharmacies. both the Board and the Attorney General say that the pharmacies violated state law. [source]

  

Walgreens Co. had a data breach in 2011, in Illinois. According to a complaint filed against Walgreens, Walgreens sold confidential information of customers to data mining companies who resold it to pharmaceutical companies. Walgreens is accused of receiving payment for prescription information that only patients had the right to sell. Walgreens sells patient data that includes sex, age group, state, ID number of the providing doctor and the name of the drug that is taken. [source]

  

Walgreens had a data breach in 2012, in California. Names, dates of birth and Social security numbers of roughly 28,000 state retirees were e-mailed to the kentucky Retirement Systems without being properly encrypted for security purposes by its pharmacy benefit provider. The e-mail contained dates of birth, Social Security numbers and health insurance claim numbers but not personal health information. The file contained information only on members who were both Medicare-eligible and used the retiree pharmacy benefit through Walgreens in 2007. [source]

  

Walgreens had a data breach in 2013, in Kentucky. A Walgreens pharmacist used patient information to obtain prescriptions for powerful drugs. The fraudulent activity occurred between April 2011 and January 2012. The dishonest pharmacist pleaded guilty to aggravated identity theft, wire fraud, and fraudulently acquiring controlled substances on November 19, 2012.She was sentenced to 25 months in prison and one month of supervised release. [source]

  

Walsh Pharmacy had a data breach in 2010, in Massachusetts. A DVD with patient information was lost in transit. Information included patient names as well as some Social Security numbers, health insurance information, drivers license numbers and prescription information. The DVD was not in the envelope when the recipient opened it.UPDATE (8/18/10): The incident involved 11,440 patients. [source]

  

Winn-Dixie had a data breach in 2007, in Mississippi. Pharmacy documents were found behind a closed Winn-Dixie grocery store, containing telephone numbers, social Security numbers and addresses of thousands of individuals. Apparently when the grocery store/pharmacy closed, employees put bundles of documents outside to be picked up. However, they were never retrieved. [source]

  
  

(return to health DataMap)



Copyright © 2012-2016 President and Fellows Harvard University.