15 Years Later, Walgreens’ HIPAA Violation Case Raises Questions

15 Years Later, Walgreens’ HIPAA Violation Case Raises Questions

Newly obtained internal emails revealed that OCR may not have known that its investigation into a Walgreens HIPAA violation was still open 10 years later.

Following a 2006 HIPAA violation investigation by Indianapolis news station WTHR, CVS and Rite Aid reached settlements with HHS’ Office for Civil Rights (OCR) and paid a combined $3.25 million in fines. CVS, Rite Aid, and Walgreens were all found exposing protected health information (PHI) by improperly disposing of records in unsecured dumpsters.

But while CVS and Rite Aid reached settlements within a few years, OCR’s investigation into Walgreens lasted for over a decade and resulted in no fines or penalties. New documents and internal emails obtained by WTHR revealed that OCR may not have known that its investigation into Walgreens was still open 10 years later.

All three pharmacy chains were caught violating the same law. But miscommunication and lapses in the government’s investigations may have resulted in Walgreens escaping consequences while CVS and Rite Aid resolved the allegations with hefty settlements.

The findings raised questions about how OCR handles its HIPAA violation cases and whether the appropriate parties are facing the consequences of potentially jeopardizing patient safety.

WTHR’s investigation kicked off with a robbery. Someone disguised as a pharmacy worker knocked on the door of Bloomington, Indiana resident Marjorie Kerr and stole her medication. The perpetrator had found Kerr’s address and prescription records inside a pharmacy dumpster.

Investigative journalists searched pharmacy dumpsters across central Indiana and found easily accessible PHI. When the investigation gained traction, investigators found a recurring trend in cities across the country.

By 2009 and 2010, CVS and Rite Aid paid their respective fines, but OCR said nothing about Walgreens. When asked about the status of the investigation, OCR told WTHR that the case was still open.

“These investigations, we never know how long they’re going to take,” Leon Rodriguez, former OCR director, told WTHR in 2011.

“I’ve been here long enough to know sometimes, for perfectly legitimate reasons, an investigation can take five years and even more. And there are times when the reasons are not legitimate.”

In 2016, OCR again told WTHR that the case was still open. WTHR asked why the case remained open and were met with silence.

The news outlet finally received a response after seven weeks, abruptly stating that the case had been closed following an in-depth investigation that resulted in Walgreens taking voluntary compliance actions.

WTHR pointed out that the other pharmacy chains had also taken corrective actions, but paid millions in fines while Walgreens walked away unscathed.

Documents obtained this summer, almost five years after WTHR filed a request under the Freedom of Information Act (FOIA), provided little insight into the case’s sudden closure.

Following WTHR’s request for information, OCR public affairs specialist Roxanne Beharry sent an email saying, “This reporter is requesting information on why the case has been opened for the last 10 years without resolution… Can you please advise me on how to respond?”

Illiana Peters, OCR’s senior advisor for HIPAA compliance, responded: “I thought this case had been closed. Do you have the transaction number? I will ping the Midwest Region on it and get back to you.”

The agency then announced that the case had been closed and did not respond to WTHR’s questions about why the investigation stretched on for over a decade.

OCR agreed to re-open WTHR’s FOIA request to search for additional information. Walgreens now requires staff to dispose of PHI in dumpsters that are not publicly accessible.

The investigation exposed inconsistencies with HIPAA enforcement that could send the wrong message to bad actors and patients impacted by the violations.


This post, 15 Years Later, Walgreens’ HIPAA Violation Case Raises Questions, was first shared on Health IT Security on August 23, 2021.

(Visited 3 times, 1 visits today)