Retail pharmacy chain Rite Aid issued a statement on June 3 to notify the media that an undisclosed number of customers from several Baltimore area stores might have been affected by breaches of their protected health information (PHI) resulting from the looting and riots that took place in late April.
“A number of our Baltimore locations, along with many other Baltimore businesses, were broken into and looted and/or severely damaged as a result of civil unrest,” the Rite Aid statement says. “Due to these criminal activities, a number of prescriptions were either damaged beyond recovery or stolen. The stolen prescriptions or prescription information would have contained sensitive information such as patient names, patient address, medication name, and [drug] directions. It is important [to note] that no financial information such as credit card numbers or Social Security numbers was involved.”
The Rite Aid pharmacies weren’t the only ones affected by the looting. Some 27 Baltimore-area pharmacies were looted or broken into during the riots. CVS Health has also said that the chain would be notifying patients whose PHI might have been compromised during the riots.
While looting incidents are relatively rare, pharmacies experience robberies and thefts frequently. To safeguard PHI against thieves, basic information security principles should apply.
- Encrypting all data, including that in databases and servers
- Reducing paper-based PHI to the minimum necessary
- Locking up any papers, labels, and prescription medications after hours
- Utilizing a just-in-time labeling process for pill bottles can reduce risk of loss of PHI
The HHS Office for Civil Rights provides additional guidance on their website.