Walgreens Penalty Leads Breach RoundupCompany to Appeal $1.4 Million Ruling
In this week's breach roundup, Walgreens plans to appeal a $1.4 million penalty after a breach involving a pharmacist. Also, Stanford University is asking all users of its computer systems to change their passwords following a breach of its information technology infrastructure.
Walgreens to Appeal $1.4 Million Penalty
A jury in Marion County, Ind., has awarded a woman $1.4 million after it found that a pharmacist at a Walgreens store in Indianapolis inappropriately reviewed and shared the woman's prescription history. The drugstore chain plans to appeal the ruling in the civil lawsuit.
The pharmacist reviewed the prescription history of her husband's ex-girlfriend, according to the Indianapolis Star. The suit claimed Walgreens was negligent in training and supervising the pharmacist.
The pharmacist was disciplined "appropriately" for her actions, the company said.
Walgreens also said in its statement: "We believe it is a misapplication of the law to hold an employer liable for the actions of one employee who knowingly violates company policy. We intend to appeal the ruling."
Stanford Breach Sparks Password Reset
Stanford University is asking all users of its computer systems to change their passwords following a breach of its information technology infrastructure.
The university is asking those with a SUNet ID to change their passwords, according to a statement posted to the school's website, which provides sparse details about the incident. Hospital employees and School of Medicine employees with hospital accounts are encouraged to have different passwords for their SUNet and hospital accounts, the statement said.
"Stanford treats information security with the utmost seriousness and is continually upgrading its defenses against cyber-attacks," the statement said.
This is the sixth breach Stanford has experienced in recent years (see: Fifth Stanford Breach Leads Roundup).
X-Rays Stolen from Storage Warehouse
Henry Ford Health System in Michigan is notifying more than 15,000 patients that old X-ray films were stolen from a warehouse where they were being stored prior to destruction.
The X-rays were taken between 1996 and 2003, according to a statement issued by the healthcare system. Compromised information may have included names, medical record numbers, age or date of birth, building location where X-ray was taken and the X-ray image itself.
The theft occurred at a storage warehouse owned and operated separately from Henry Ford, the provider organization said. A warehouse employee was arrested in connection with the theft.
The X-ray film has not yet been recovered.
Affected patients will not receive identity theft monitoring services because the films did not contain any personal identifying information that could be used for identity theft, according to an FAQ.
Hospital Bills Sent to Wrong Addresses
Clark Memorial Hospital in Jeffersonville, Ind., is notifying about 1,100 patients of a breach resulting from a mailing error involving a vendor.
Clark Memorial uses Mail Louisville Inc., to process and mail billing statements, according to a statement issued by the hospital. On July 16, the hospital learned that through a processing error at the vendor, the billing statements were sent to the wrong addresses.
The information on the statements included patient name, date of service, general category of service, a randomly assigned hospital account number, amount charged, amount paid by the patient's insurance company and the amount remaining due on the account.
"The statement did not include detailed clinical information, such as diagnosis, or Social Security number, date of birth, or insurance account numbers," the statement said.
The hospital has set up a call center to respond to patient questions. It's also assessing its current relationship with Mail Louisville in light of this incident, the statement said.