How An IT Glitch Turned CVS Into A Meth Dealer

A misconfigured CVS computer system originally designed to limit excessive sales of pseudoephedrine (which can be used to make methamphetamine) ironically had the opposite effect. More generic pseudoephedrine was sold in the drugstore chain's southern California pharmacies than in the rest of its U.S. stores combined. The culprit? Store associates who regularly overrode or bypassed the system and—more to the point—the IT system that made it easy to do.

It's always a challenge to get employees to correctly use a computer system that stops them from selling—even when it's enforcing the law. That's the kind of conflict retailers increasingly face in cases where, for example, loyalty programs clash with privacy concerns. No manager is going to get a bonus for pushing customers away. As such, it may fall to IT to make sure employees don't cut corners, especially when those shortcuts could result in an expensive legal bill. Trouble is, that can be an impossible task.

In CVS' case, these problems resulted in the drugstore giant being fined $77.6 million by California officials, the state announced last Thursday (Oct. 14). When the system was finally configured correctly, pseudoephedrine sales dropped by 87 percent in some Los Angeles CVS stores.

For the chain, IT looked like an obvious point of failure. According to prosecutors, CVS is required by federal law to limit sales of pseudoephedrine to relatively small quantities and to log the names, addresses and birthdates of all customers buying the drug. CVS actually installed software called MethCheck to do that in 2007, and the system is capable of tracking sales to each customer across all the chain's stores. What it wasn't configured to do was stop sales that exceeded the federal limit.

As a result, generic pseudoephedrine sales at CVS pharmacies in the Los Angeles and Las Vegas areas skyrocketed. As California drug-enforcement agents learned in late 2008 from people arrested for possessing large quantities of the drug, CVS was their preferred place to buy. State officials notified the federal Drug Enforcement Administration (DEA), which reviewed CVS' sales practices and discovered that teams of buyers working for meth labs would sometimes literally clear a pharmacy's shelves of the drug—and the MethCheck software wouldn't stop them.

That's bad. What's worse is that pharmacy employees, who knew what the software was there for, didn't stop the drug buyers either. It was hard for them to have missed buyers who made up to a dozen purchases per day in a single store—in one case, a customer made 10 purchases in less than an hour. (According to prosecutors, many of the buyers even used CVS loyalty cards to get credit for their purchases.)

And those were the (relatively) honest employees. At the other of the spectrum, one CVS manager bought pseudoephedrine on his own, using 36 different fake IDs. When he was arrested, he had almost $3,000 worth of pills that were worth 10 times that amount on the black market, according to a California state investigator.When CVS was notified of the problem, the company reconfigured its software. Sales of pseudoephedrine in CVS drugstores in southern California dropped to a fraction of their previous levels. But from the DEA's perspective, that was $77 million too late.

Could software have stopped that crooked manager from breaking the law? Probably not. The MethCheck software has a manager's override, just like there is on every POS system. A bad manager can override the software for all the wrong reasons. But the manager who was arrested was the exception.

The real question is why all those other employees ignored customers who were obviously buying more pseudoephedrine than they were supposed to. The uncomfortable—but realistic—answer is that none of those employees' incentives were for enforcing the law. Their incentives were for selling.

And that's a problem. Drug laws, privacy laws and food safety laws all get in the way of moving merchandise. Violating those laws can bring a retailer lawsuits and fines, even when employees aren't trying to do anything but their jobs. That's a set of conflicts that all retailers face.

So what do they do? They turn to IT to install systems that enforce the rules. That puts IT in the role of enforcer and sets the department in direct opposition to employees. Care to guess who will win that particular conflict?

Wait, it gets worse. When there's a problem that involves people using IT systems—especially systems that are supposed to enforce rules—IT is always the most likely scapegoat.

After all, it's very hard to pin blame when employees bend rules so they can sell, say, an unauthorized drug product or outdated milk or meat. Is the employee breaking a rule? Is the manager allowing or even encouraging employees to break that rule? Is upper management looking the other way as long as sales are good? When the system fails at the people level, finding root causes can be next to impossible.

But it's very easy to identify the problem when software that's supposed to enforce rules fails to work. Whether it's a bug, a bad configuration or a bit of sloppy design, it's right in the software—undeniable and completely reproducible.

That's despite the fact that employees can always work around software, one way or another.

It also explains why DEA investigators zeroed in on CVS' software to look for evidence of negligence or wrongdoing and why prosecutors specifically called out the poorly configured software when they announced the record-breaking fine. IT systems are easy targets in an investigation.

Yes, CVS' IT people should have configured the software correctly. They should have monitored it to verify that the output made sense. Doing that right would at least have provided a little more legal cover for the chain.

But in the end, at CVS it was IT versus employees. And that was one battle IT was bound to lose.