Breaking News
More () »

Internal emails raise questions about government’s investigation into Walgreens privacy breach

Why was Walgreens treated so differently than the other two pharmacy chains — even though all three were caught violating the same federal law?

INDIANAPOLIS — The nation’s three largest pharmacy chains were all caught red-handed.

A 13News investigation revealed the drugstores had been disposing of their customers’ protected health information in unsecured dumpsters — a clear violation of the nation’s health care privacy law known as HIPAA.

Following that 2006 WTHR investigation, CVS and Rite Aid reached settlement agreements with the U.S. Department of Health and Human Services’ Office for Civil Rights, and they paid a combined $3.25 million in fines for jeopardizing their customers’ privacy. At the time, they were the largest settlements the government had ever reached for violations of HIPAA.

But the government’s Walgreens investigation was very different. Unlike the CVS and Rite Aid cases — which were both resolved within a few years — OCR’s Walgreens investigation dragged on for nearly a decade. And it resulted in no settlement. No fine. No penalty at all.

Why was Walgreens treated so differently than the other two pharmacies — even though all three were caught violating the same federal law?

New documents obtained by 13News show senior officials at OCR did not know their own case against Walgreens was still open 10 years after the violations took place. The internal emails suggest the government may have forgotten it was investigating Walgreens at all, raising questions about what happens — and what does not happen — when big companies trash your privacy.

Credit: WTHR
A 2006 13News investigation exposed serious HIPAA violations inside pharmacy dumpsters across the nation, prompting three separate investigations.

How the drugstores were caught

WTHR’s 2006 investigation began after Marjorie Kerr was robbed at her front door. A drug addict posing as a drugstore worker stole the grandmother's pain medication right out of her hand after finding Kerr’s prescription records inside a pharmacy dumpster in Bloomington.

Following that crime, 13 Investigates searched drugstore dumpsters throughout central Indiana, finding dozens of them contained the protected health care information (PHI) of hundreds of Hoosiers. 

Pharmacy managers and corporate executives told 13News the HIPAA violations exposed by WTHR’s investigation were isolated incidents, and they promised to make changes.

But over the next several months, when 13 Investigates expanded the investigation to include drug stores all across the nation, it became clear the problem was not limited to Indiana and the violations had not been fixed.

(NOTE: The story in the video below originally aired in July 2006.)

13News found PHI in drugstore dumpsters from Phoenix and Denver to Miami and Detroit. Inspecting a random sampling of pharmacy dumpsters nationwide revealed the widespread practice of throwing customers’ private — and often sensitive — health care information into wide open dumpsters jeopardized the privacy and safety of millions of Americans.

After seeing WTHR’s investigation, OCR (the government agency charged with enforcing HIPAA) launched investigations of its own.

Regulators announced a $2.25 million fine against CVS in 2009, and Rite Aid agreed to a $1 million fine the following year. OCR said the 13News investigation, which clearly showed the drugstore chains had violated HIPAA, played a significant role in the resolution agreements and corrective action plans that federal agencies reached with CVS and Rite Aid.

Credit: WTHR
CVS and Rite Aid paid a combined $3.25 million in fines for failing to protect their customers' personal health information.

The pharmacies “failed to implement adequate policies and procedures to reasonably and appropriately safeguard protected health information during the disposal process [and] failed to adequately train employees on how to dispose of such information properly,” according to OCR.

But government regulators said nothing about Walgreens.

What’s taking so long?

Between 2007 and 2011, 13News repeatedly asked OCR about the status of its Walgreens investigation. Each time, the federal agency informed WTHR the case was still open.

“These investigations, we never know how long they're going to take,” OCR former director Leon Rodriguez told 13News in fall 2011. “I’ve been here long enough to know sometimes, for perfectly legitimate reasons, an investigation can take five years and even more. And there are times when the reasons are not legitimate.”

While he would not comment on an open investigation, Rodriguez said his agency had high expectations that companies and health care providers would follow HIPAA regulations. He also told 13News that OCR would be imposing more fines and harsher penalties in the future when those rules were broken.

Five years later, when 13 Investigates again contacted the Office for Civil Rights in the summer of 2016 for an update about its Walgreens investigation, an agency spokeswoman emailed to say “This case is still open.”

Asked why the case remained open for so long with no resolution, OCR did not respond for nearly seven weeks. And when an agency spokeswoman did reply, she dropped a bombshell.

“The HHS Office for Civil Rights (OCR) can share that, as of today, this case has now closed,” wrote OCR public affairs senior advisor Rachel Seeger. She also said Walgreens would face no fines or other penalties for violating HIPAA.

“OCR reviewed the matters raised in the WTHR news reports and conducted an in-depth compliance review of Walgreens nationally. To resolve the issues raised in this matter, Walgreens took immediate corrective actions upon learning of the first 2006 WTHR news report. By November 2006, all Walgreens dumpsters nationwide that were accessible to the public were locked. Further, Walgreens provided proof of the voluntary compliance actions it took immediately, and on an ongoing basis, revised and strengthened its disposal policies; made dumpster or gate locks available through its distribution centers for those Walgreens stores that did not have self-locking dumpsters; immediately provided training/re-training to Indianapolis store employees regarding its disposal policies; and to provide ongoing training to its staff nationwide regarding its disposal policies. Based on our review of the facts and circumstances of this matter, OCR has determined that all of the issues raised in this matter have now been resolved by voluntary compliance actions of Walgreens.”

While Walgreens did initiate “immediate corrective actions,” those actions did not intensify until after WTHR exposed ongoing problems at Walgreens in at least 10 other cities outside of Indiana. What Walgreens originally described as “isolated incidents” were actually a part of a systemic problem involving Walgreens stores nationwide.

And Walgreens was not the only pharmacy chain to take action after 13 Investigates found customers’ personal health care information in the drugstore dumpsters. CVS and Rite Aid also took steps to prevent further violations. Yet OCR scolded those companies and imposed millions of dollars in fines, while the federal agency closed its decade-long Walgreens investigation without even slapping the company’s wrists.

“It sends a message of unfairness,” HIPAA expert Joan Antokol told WTHR when the Walgreens case was closed. The health care privacy attorney said she had never seen the government investigate a HIPAA violation for nearly 10 years.

Nicholas Terry, a law professor at the Indiana University McKinney School of Law and executive director of the Hall Center for Law and Health, also said the government’s decade-long HIPAA investigation was highly unusual.

“I’m not aware of that ever happening,” Terry said.

(NOTE: The story in the video below originally aired in Nov. 2006.)

Internal documents released

To better understand why government regulators handled the Walgreens case differently than those of CVS and Rite Aid — both in the length of the investigations and in the outcome — 13 Investigates immediately filed a request under the Freedom of Information Act.

WTHR submitted the public records request to obtain “all information maintained by the US Department of Health and Human Services and HHS Office for Civil Rights related to its investigation of improper disposal practices by Walgreens, including all documents contained in [the Walgreens] OCR case file…from 07/01/2006 to 08/15/2016.”

OCR did not provide any records until this summer, nearly five years after 13News submitted its FOIA request and 15 years after OCR first learned that Walgreens had committed HIPAA violations by disposing of customer records in unsecured dumpsters.

According to OCR, the federal agency found 951 pages of documents that met the terms of WTHR’s open records request. OCR refused to release 823 of those pages, claiming they are exempt from disclosure because they contain confidential trade secrets or contain personal information. Other pages were partially redacted to cover information the agency says it is not permitted to release publicly.

That left about 115 pages of documents provided to 13News. Those documents consisted primarily of information that had already been publicly released on Walgreens' website, such as the company’s notice of privacy practices and solid waste containment policy. OCR also released several letters the federal agency sent Walgreens to announce the opening and closing of its compliance review investigation, and multiple emails between 13News staff and Walgreens staff (which, of course, we already had).

The most revealing information released by OCR was a set of internal agency emails that show how the agency’s top staff responded to inquiries from 13News just prior to OCR closing the Walgreens case.

On June 6, 2016, WTHR emailed OCR to ask: “Is the HHS [Department of Health and Human Services] case against Walgreens related to WTHR’s investigation still open and ongoing or has it been closed?”

After initially claiming that OCR is not permitted to answer that question, an agency spokeswoman responded about a week later by stating: “The case is still open.”

On June 15, WTHR replied, asking for more information. “I am looking to speak to someone who can help explain why a HIPAA case may take a decade to investigate and resolve,” the email said.

The request was quickly escalated to Deven McGraw, the agency’s Deputy Director for Health Information Privacy, and to Illiana Peters, OCR’s Senior Advisor for HIPAA Compliance. “This reporter is requesting information on why the case has been opened for the last 10 years without resolution… Can you please advise me on how to respond?” OCR public affairs specialist Roxanne Beharry asked.

Twenty-six minutes later, Peters responded: “I thought this case had been closed. Do you have the transaction number? I will ping the Midwest Region on it and get back to you.”

She then sent WTHR’s inquiry to other senior OCR managers, including OCR Deputy Director of Enforcement Valerie Morgan Alston and OCR Midwest Regional Manager Steven Mitchell. I thought this Walgreens case had been closed. It seems that it's still open,” Peters told them. “Can you (or the investigator) provide an update? We need to determine how to respond to this reporter.”

The agency’s official response came six weeks later — not to WTHR, but to Walgreens — in the form of a letter announcing OCR is “closing this case further action.”

'This is none of your business'

Why OCR levied no fine and why the investigation dragged out for more than decade are questions the agency will not answer.

13News has sent the agency a long list of questions. OCR has declined to answer any of them, instead emailing a short statement.

“Following a robust investigation of Walgreens, OCR determined that all of the issues raised in this matter were resolved by voluntary compliance actions of Walgreens, and OCR closed the case,” it says.

The lack of information does not sit well privacy experts.

“The message is we’re not being transparent, so some bad actors are treated one way and other bad actors are treated a different way," said Erin Jackson, a Chicago attorney who specializes in health care privacy and compliance. She says it still makes little sense that Walgreens would face no penalty for committing the same violations that resulted in settlement agreements and large fines for CVS and Rite-Aid.

“If we want these settlements to have a deterrent effect, which we’d hope they would, then we need to be clear about why certain parties are treated different than other parties. What they’ve done, it really says: ‘This is none of your business, public.’ And that’s not the spirit behind OCR investigations or FOIA requests,” Jackson said.

OCR has agreed to re-open WTHR’s Freedom of Information Act request to search for additional records during specific time periods that are missing from its FOIA response. 13News hopes the search will yield additional records that reveal further insights into why the government’s Walgreens investigation lasted a decade with no penalties for its failure to protect customer information that was dumped into the trash at drugstores across the nation.

Credit: WTHR
Bob Segall recently returned to check the security of Walgreens dumpsters and found nearly all the dumpsters were locked. Those that were open did not contain protected health information.

In the meantime, 13News has re-inspected more than a dozen Walgreens dumpsters across central Indiana. It appears the corrective actions taken more than a decade ago after WTHR’s investigation are still working. Nearly all of the dumpsters checked were locked, and those that are accessible to the public contained no protected health information. Walgreens' policy now requires all PHI to be disposed of in separate bags that are not placed in publicly-accessible dumpsters.

Before You Leave, Check This Out