Medical privacy | HIPAA | FTC — According to a legal complaint, CVS pharmacies — the largest pharmacy chain in the United States — did not take appropriate steps to protect its customers’ and employees’ sensitive information when it improperly disposed of documents, labels, prescription bottles, and other items with clearly identifiable and highly sensitive personal information such as SSNs, prescription information, driver’s license numbers, and other information still on those materials. CVS agreed to pay $2.25 million to settle its violations of HIPAA as part of a Resolution Agreement with the Department of Health and Human Services. CVS has also signed a consent agreement with the FTC; the public can comment on this agreement until March 20, 2009. The World Privacy Forum will be filing comments with the FTC on the consent agreement with CVS, which we will post here.
Internet privacy — The Federal Trade Commission released its self-regulatory principles for behaviorally-targeted advertising today. The World Privacy Forum will be holding a press conference responding to the principles at 12:30 p.m. Eastern.
Internet privacy — The World Privacy Forum filed a complaint today with the Federal Trade Commission regarding AOL’s multiple releases of portions of its users’ search query histories. The complaint discusses AOL search query releases from 2004 and 2006. The complaint alleges that the data release was intentional, and due to significant identifiability issues of the data subjects, that the releases are harming some AOL customers, and that AOL customers did not know their search histories would be made available to the public. The World Privacy Forum urges consumers to take precautions when using search engines.
Do Not Call Registry — In its fourth annual report to Congress on the Do Not Call Registry, the Federal Trade Commission released some interesting new statistics. As of September 2007, there were 145,498,656 telephone numbers in the Do Not Call Registry. The FTC also reported that 6,242 entities paid over $21 million for access to the DNC Registry in 2007. The report also details the FTC’s enforcement actions against businesses violating the DNC Registry rules. As of September 30, 2007, the FTC had filed 25 cases regarding DNC Registry violations and had settled 22 of the cases.
Financial privacy — The World Privacy Forum filed comments with the Federal Trade Commission today about its proposed study of credit -based pricing practices for homeowners insurance. The World Privacy Forum requested that the FTC ask insurers if there are specific procedures in place for detecting, mitigating, and responding to consumers who have been victims of identity theft. The WPF noted its support for the FTC’s use of the FTC Act Section 6(b) authority to acquire robust information from the insurance companies.