Walgreens avoids penalty after 9-year privacy breach investigation


INDIANAPOLIS (WTHR) — A decade after WTHR exposed the county's largest pharmacy chains failed to protect their customers' sensitive healthcare information, 13 Investigates has learned government regulators have quietly closed their investigation into improper trash disposal practices by Walgreens.

The government's decision – announced in an e-mail to WTHR – means Walgreens will not face any federal penalty despite repeatedly violating federal law and jeopardizing customer privacy in the same manner that resulted in record-setting fines against its largest competitors.

"This is hard to understand and hard to fathom, given the facts of the case and the blatant nature of the violation," said privacy law expert Joan Antokol. 'It sends all the wrong messages."

A WTHR investigation finds the case is not unique.

Caught on camera

WTHR began investigating pharmacy disposal practices in 2006 following a brazen robbery.

A drug addict stole Margie Kerr's pain medication after showing up at the grandmother's front door. According to police, the thief targeted Kerr after finding her prescription records in a dumpster behind her Bloomington drug store.

Pharmacies not protecting your private information isn't just dangerous. It's a major violation of the nation's healthcare privacy law called HIPAA. The federal law requires drug stores, medical facilities and healthcare professionals to safeguard patients' protected health information (PHI) – including properly disposing of medical information when it is no longer needed.

So during the summer of 2006, WTHR checked unlocked dumpsters behind dozens of Indiana drug stores. Many of them contained bags full of sensitive customer information. 13 Investigates discovered the healthcare records of thousands of unsuspecting customers, including their names, addresses, and phone numbers; the medications they took; the names of their doctors; and, in some cases, their financial and credit card information.

At the time, pharmacy officials insisted the discoveries were isolated local incidents. A Walgreens regional manager told Eyewitness News the problem would be corrected quickly.

"We apologize. We'll address the procedures and ensure they are followed in the future," she said.

But when WTHR then expanded the investigation beyond Indiana -- checking Walgreens, CVS and Rite Aid dumpsters in 12 other states -- the findings exposed a nationwide problem that captured the attention of federal regulators in Washington, D.C.

Million dollar fines

After showing video of sensitive healthcare information sitting in drug stores dumpers in cities such as Phoenix, Miami, Detroit, Philadelphia, Denver and Chicago, WTHR's investigation made national headlines.

The U.S. Department of Health and Human Services assigned the case in 2007 to its Office for Civil Rights, the federal agency responsible for investigating alleged HIPAA violations. Based on WTHR's video, OCR and the U.S. Department of Justice reached settlement agreements with both CVS and Rite Aid. Those agreements included a combined $3.25 million in fines – among the largest penalties in U.S. history for companies trashing their patients' privacy.

The settlements against CVS and Rite Aid were announced in 2009 and 2010, respectively. But years passed with no announcement or settlement involving Walgreens.

While CVS and Rite Aid paid significant fines for their violations, the government's investigation into Walgreens' disposal violations dragged on with no resolution.

"These investigations, we never know how long they're going to take," OCR (now former) director Leon Rodriguez told WTHR in 2012. Asked why the Walgreens case was taking such a long time to investigate and resolve, Rodriguez said he could only speak in generalities.

"If I was in your shoes, I'd feel the same way. I've been around long enough to know for perfectly legitimate reasons, an investigation can take five years and even more. And there are times the reasons are not legitimate."

Two more years passed.

And two more after that.

Still, no settlement announced for Walgreens.

Last month, on the 10-year anniversary of WTHR's initial investigation, 13 Investigates again reached out to OCR, the U.S. Department of Justice and the U.S. Department of Health and Human Services' Office of Inspector General to see if anyone would provide an update on a federal investigation that regulators had launched nine years earlier.

After a flurry of phone calls and e-mails between Indianapolis and Washington, an OCR spokeswoman sent an e-mail consisting of five familiar words:

"The case is still open."

"Man, ten years is a long time!"

“Are they just trying to sweep it under the rug?”

The news – or lack thereof – came as both a surprise and a disappointment to Williams Means.

"After ten years? Man, ten years is a long time!," he said, sitting in the front yard of his eastside Indianapolis home. "Did they forget about it, or are they just trying to sweep it under the rug?"

Means first spoke with WTHR exactly ten years earlier, when 13 Investigates found his personal healthcare information in a dumpster behind the Walgreens near Post Road and East 38th Street.

The dumpster contained hundreds of discarded prescription labels, including labels for medications that doctors had prescribed for Means' arthritis.

"They should face some kind of penalty for that. I'd like to see them suffer the same penalties and same fines as the other two stores had to pay. It's not like it was an accident," he said.

Antokol, who has closely followed WTHR's Prescription Privacy investigation for the past decade, says she has never seen a HIPAA case drag on for so long.

"Never. Ten years is a long time for a case to remain open … and it's a very bad idea. Sends the wrong message to organizations that you really can't have a deterrent effect when the penalties come so long afterward."

A few days after speaking with Antokol and Means – and just a few weeks after 13 Investigates told OCR that it would soon broadcast a follow-up story on the lingering Walgreens case – WTHR got another e-mail from Washington.

Case closed

“All of the issues raised in this matter have now been resolved ”

"The HHS Office for Civil Rights (OCR) can share that, as of today, this case has now closed," wrote Rachel Seeger, OCR's senior advisor of public affairs and outreach.

Seeger's statement explains that Walgreens took "immediate corrective actions" after learning of WTHR's first news report in 2006. (That statement is not true, as evidenced by WTHR video showing patient records in Walgreens dumpsters well after the initial news reports. And a separate investigation by state regulators in late 2011 – five years after WTHR's reports – found Walgreens stores across California "disposed of customer records containing confidential medical information without preserving the confidentiality of the information contained therein.")

She also points out that Walgreens took steps to lock all dumpsters, re-train staff, and revise and strengthen its disposal policies. (Based on subsequent inspections by WTHR and internal documents obtained by Eyewitness News, those statements do seem to be accurate.)

"OCR has determined that all of the issues raised in this matter have now been resolved by voluntary compliance actions of Walgreens," Seeger wrote to end her e-mail.

Translation: No settlement. No fine. No significant consequences.

Unlike its competitors, Walgreens will face no punishment imposed by the federal government for violating federal privacy laws and jeopardizing the privacy of its customers.

1000's of violations. Few penalties.

“It doesn't seem right that Walgreens should walk away completely”

Walgreens certainly isn't the only company to violate HIPAA and get away with it. Take a look at the numbers:

Since the HIPAA law took effect 13 years ago, OCR has received about 135,000 HIPAA complaints.

So far, investigators have found roughly 24,000 of those complaints to be actual violations that required corrective action and/or technical assistance . (OCR data suggests investigators find most HIPAA rule allegations to be unfounded or unenforceable.)

The government has assessed HIPAA fines against just 39 companies.

That's 24,000 violations. 39 fines.

The math works out to approximately one penalty for every 615 confirmed violations.

And there are more than 5,000 open HIPAA complaints that have not yet been resolved.

Officials at OCR say the goal of HIPAA enforcement is not punishment, but rather ensuring that violators make appropriate changes to protect patient privacy.

"In most of these cases, an entity will be able to demonstrate satisfactory compliance with the HIPAA Rules through this type of resolution, and compliance issues will be addressed effectively [and] more quickly," explained Seeger, adding that settlement agreements and fines require lots of time and the collection of evidence, since those cases often are tried before an administrative law judge or a court.

Antokol believes a lesser penalty for Walgreens may have been warranted in this case – if the company proved it took comprehensive steps to remediate problems exposed by WTHR.

"If Walgreens made a good faith effort and acted more quickly than the other pharmacies in your investigation, that would make a difference for OCR," she said.

But Antokol, who counsels companies worldwide on HIPAA law and compliance, is stunned to learn the pharmacy giant will receive no federal penalty at all.

"It was an egregious violation. It doesn't seem right that Walgreens should walk away completely," she said. "Even if they did respond more appropriately, they still showed an utter disregard for patient privacy – totally unacceptable under HIPAA. It sends a message of unfairness."

That's not to say companies like Walgreens get themselves off the hook completely. Antokol points to California's 2011 Walgreens investigation that resulted in a $16.6 million fine for improper disposal of customer information and toxic substances. The Indiana Attorney General also ordered Walgreens to re-pay the state $6,000 to resolve widespread privacy violations exposed by WTHR.

And some HIPAA violators are fined multiple times for committing the same offense. When the Texas Attorney General's office duplicated WTHR's dumpster diving investigation in 2007, discovering CVS dumpsters full of patient records, its resulting settlement slapped the drug store chain with a $315,000 fine.

Those state cases were aggressively investigated and quickly resolved.

The same cannot be said for federal HIPAA investigations.

It's little surprise OCR has been criticized both by lawmakers and its own Inspector General for a lack of HIPAA enforcement. That criticism seems to have made little difference.

Walgreens response

Staff at Walgreens headquarters tell 13 Investigates they have not received any communication from federal regulators about the 2006 Prescription Privacy case for more than five years.

And contacted earlier this week by WTHR, a Walgreens spokesman said the pharmacy chain had not yet received a closure letter from OCR notifying Walgreens that the government's investigation is now complete.

"We are constantly reviewing our privacy policies and practices, and updating them as needed," said Michael Polzin, Walgreens vice president of corporate communications. He told WTHR he wants to receive OCR's official closure letter before commenting further.