HIPAA Blog

[ Tuesday, May 05, 2015 ]

 

Baltimore Riots: Anyone know whether CVS suffered a data breach when their store was looted?  An inquiring reader of the blog (from Birmingham Montgomery, AL) raised the issue, and it's definitely interesting.

My assumption would be that the store operates on some sort of dumb terminal pharmacy information system for the drug records, so that there's no real data stored in any of their drugstores; it appears on the in-store computers while they are being used, but isn't stored there, so that when the computers are powered down and disconnected from the central network, they don't have PHI.  Of course, there would be some PHI in the form of paperwork, particularly in the bags of filled-but-not-purchased prescriptions.  There might be some other paper records as well.  And CVS should have disaster recovery systems to determine whose filled prescriptions were potentially taken, but I'm not sure how well they'd be able to tell if any other paper records were compromised.

Could be an interesting exercise at CVS right about now. . . .

Jeff [4:42 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template