Is CVS-Target pharmacy deal a potential privacy 'train wreck'?

The acquisition of 1,660 Target (NYSE:TGT) pharmacies this month by CVS (NYSE:CVS) raises significant data security questions, privacy issues and possible HIPAA (Health Insurance Portability and Accountability Act) conflicts.

The deal adds the in-store pharmacies and 80 Target health clinics to CVS's network of about 7,800 drugstores and 1,000 Minute Clinics, and it has been heralded as benefiting both companies. CVS gets locations and pharmacy customers in high-traffic Target stores, and Target sheds an operation outside of its core competency while keeping the pharmacy departments—and customers—in its stores.

But rough privacy seas are on the horizon, according to Computerworld columnist (and former FierceRetailIT Editor) Evan Schuman. "What we have is a potential data security train wreck," he wrote in The Zen of Retail Tech blog.

Target and its customers were victimized by a massive data breach in late 2013, a debacle which raises questions to this day about sensitive pharmacy information. In 2009, CVS was fined $2.5 million for improperly disposing of items containing personal information.

The main attraction in any pharmacy acquisition is the data base of patient information, which includes personal prescriptions and medical history. There is some question of whether Target pharmacy employees, facing the uncertain aftermath of the CVS acquisition, will carefully follow data transfer protocols, Schuman wrote.

"Even under ideal conditions, transferring such a huge volume of highly sensitive customer information to another company would be a big security risk," he wrote. "How will it be sent? Considering the two companies involved, a shared VPN is unlikely, so will it be physically shipped on media?

"And when CVS accesses that privacy treasure trove, what security procedures will it use? It's unlikely that CVS has a regular procedure for handling such a huge quantity of data. It can create one, of course, but that procedure will be untested."

If something goes wrong, the ramifications could be extensive. During the transition, the number of people with access to this data will increase substantially. "Like any other secret, the more people who have access, the greater the chance that something will be mishandled, deliberately or accidentally," Schuman wrote.

Deliberately? Schuman suggests that identity thieves will seek out Target's pharmacy IT people, who will soon be displaced, and offer them money in exchange for a copy of the database.

"It's a situation ripe for social engineering tactics as well. Target's people could get calls from people claiming to be their CVS counterparts, asking them to send the data slightly differently than was planned. Will a meaningful authentication system exist? It's a very plausible pretense, and it's unlikely that Target's rank-and-file IT will know many of their CVS opposite numbers."

What can be done? The biggest security precaution is to anticipate attacks and prepare countermeasures. Target needs to assign senior IT employees to create these processes and personally oversee their implementation. The data exchange should be negotiated and executed by small groups of people who will work together and who all have guaranteed jobs after the merger, Schuman wrote.

"Pharmacy data is the ultimate in sensitive data. Unlike payment card data or passwords, prescription histories and medical data can't ever be changed. That means that an identity thief could grab a copy, shrewdly sit on it for months and then slowly use it for nefarious purposes, knowing that it will remain accurate and usable for as long as the thief needs it," he said.

For more:
-See this Computerworld article

Related stories:
Target, CVS partnership signals strategic shift
Target CEO Cornell places big bet on technology
Target makes $1B bet on digital
Retail clinics hit 10 million annual visits
CVS rolls out updated app