Citibank To Pay $55K Fine To Settle Data Breach Investigation
Edward Snowden Receives German Whistle Blower Award

CVS To Pay $250K Fine For Improper Records Disposal And Selling Expired Products

CVS Pharmacy logo Just before the long holiday weekend, the State of Maryland Attorney General's office announced a settlement with CVS Pharmacy, Inc. and Maryland CVS Pharmacy, LLC after CVS failed to adequately protect customers' sensitive financial and medical information. Terms of the settlement require CVS to pay a $250,000 fine.

The settlement resolves two key allegations:

  • CVS improperly disposed of customers records in open trash bins, and
  • CVS sold products after the products' expiration dates or "sell by" dates.

The Maryland Attorney General's Consumer Protection Division (CPD) investigated both allegations. The alleged sale of expired products included baby formula, dairy products, over-the-counter drugs, and vitamins. CVS had allegedly failed to maintain and enforce security methods that were already in place to protect consumers. The Maryland Attorney General's announcement stated:

"Under the Maryland Consumer Protection Act, it is an unfair and deceptive trade practice for a business to attempt to dispose of records containing its customers' personal information without taking reasonable steps to protect against unauthorized access to or use of them. It is also an unfair and deceptive trade practice to offer for sale a product that is no longer effective for its intended use."

For effective data security, the terms of settlement agreement require CVS to:

  1. Maintain, revise as needed, and enforce newly established policies and procedures for the disposal of customers sensitive medical information (e.g., called Protected Health Information or PHI),
  2. Implement an employee training program for handling and disposing of patient information,
  3. Conduct internal monitoring, and
  4. Report any noncompliance to the Maryland CPD for three years.

To prevent the sale of expired products, the terms of the settlement agreement also require CVS to:

  1. Implement policies and procedures about the sale of expired products
  2. Prompt cashiers via checkout registers to confirm that dairy products, baby food, infant formula and over-the-counter children's drugs are not expired. CVS is to implement this program for three years.
  3. Offer consumers a $2.00 discount coupon toward any purchase if a consumer finds and turns in an expired product (over-the-counter drugs, edible product, and vitamins and dietary supplements) on store shelves. CVS is to provide this offer for two years.


Feed You can follow this conversation by subscribing to the comment feed for this post.


It is no longer enough to rip off a mark once, they now expect to get away with it month after month. According to the Delaware Attorney General this is not Identity Theft. Some people can't tell the difference, and assume that it was a fine sale. So the only way that a defendant in a credit card fraud case can prove that the purchase he made was not illegal is to have it in writing.

The comments to this entry are closed.