PHI of Customers Stolen in Looting Incidents at Cub Pharmacies

A pharmacy network has revealed the protected health information of some of its customers has been illegally taken by looters in late May during the period of civil unrest.

From May 27-30, 2020, 8 Cub pharmacies in the Minneapolis area were broken into and items were taken such as paperwork containing the protected health information of its customers. Items taken from the clinic included locked safes that contained credit card authorization forms and prescriptions that had been made up and were awaiting collection. Binders containing printed records of past prescriptions and orders that were being processed were taken from pharmacies in Minneapolis and St. Paul.

The data on the credit card forms included the cardholder name, credit card number, expiry date, and the amount of the transaction, but did not incorporate the the CVV code which is required to make purchases over the telephone. These forms were only linkable to individuals who had arranged to have prescriptions delivered or mailed, not for customers who paid by credit card in person in a pharmacy.

Cub identified the theft of items immediately upon entering the stores between May 28-30. A review of CCTV footage revealed additional customer information had been taken when the stores were looted. Where possible, customers impacted by the breach were notified directly, although it was not possible to identify all impacted customers in that fashion, as it was not possible to determine which customers’ PHI was contained in the stolen binders.

The customer information stolen by the looters was limited and did not include the types of information sought by identity thieves. Cub does not believe affected individuals are in danger of identity theft; however, as a precautionary measure, all affected individuals are being encouraged to review their financial and explanation of benefits statements for any signs of improper use of their information. No cases of misuse of customer information have been received so far.

Cub is the fourth pharmacy group to announce that customer information was stolen in recent break-ins. Breaches have also been reported by Walgreens (72,143 people), CVS Pharmacy (21,289 people) and Kroger (10,974 people). According to the DEA, more than 33.3% of the 476 retail pharmacies in Philadelphia were looted and many pharmacies in other areas across the United States have also suffered destructive attacks and have had prescription drugs and other items illegally taken.

Author: Maria Perez