Suit Claims CVS Revealed HIV Status of 6,000 Patients in Ohio

CVS Health is one of the defendants in a federal lawsuit claiming that it and other companies failed to protect the HIV status of 6,000 patients in Ohio—not through an online data breach, but thanks to a poorly constructed envelope. The suit filed by three unidentified plaintiffs maintains that when CVS mailed letters to patients in the state’s HIV drug assistance program last year, the recipients’ HIV status was visible in the envelope’s glassine window. All three defendants have been quoted in local media saying they fear being stigmatized by family, their communities, and potential employers and insurers due to their HIV diagnoses. Further, their attorneys charge that CVS failed to announce the breach of privacy data and did not contact all the patients whose status was revealed. CVS has countered that the envelope was supposed to show a reference code for the assistance program, not the recipient’s health status, and that it eliminated the reference code for future mailings as soon as it “learned of this incident.” The take-home for urgent care operators is to ensure all information, online and hard copies, is secure and that communiques—including those handled by third parties—reveal as little information to the naked eye as possible.