• FreeAdvice has a new Terms of Service and Privacy Policy, effective May 25, 2018.
    By continuing to use this site, you are consenting to our Terms of Service and use of cookies.

Breach by a Major Pharmacy in my Online Account!!

Accident - Bankruptcy - Criminal Law / DUI - Business - Consumer - Employment - Family - Immigration - Real Estate - Tax - Traffic - Wills   Please click a topic or scroll down for more.

rj2010

Junior Member
What is the name of your state?
Hi All,
I am in New York, as your question has asked.

I have experienced a very scary situation that sent me reeling. It had been a while since I logged into my account with a major drugstore chain, and when I logged on, I almost had a heart-attack.

I opened up my account and right on the top of my account the name showing up on the top of my account was the name of my sister...but not the same last name as mine....her married name.

Some background here is as follows: In no way would I have ever allowed her access to my account, ever, and her and her husband have dug through every part of my background in order to settle a personal loan that my brother in law went ballistic over and dug into things from my past I even forgot about, in order to bolster his court case.

Anyway, back to the breach:
I contacted this major drugstore chain via Chat and I told them about this breach and I gave them screenshots of what happened and then after not hearing back from them for a few days, I pursued them on Twitter because their "leadership team" was supposed to get back to me.

It was taking them a while and I told them that their delay is giving me the right to let the public know what injustice has been done and how they've allowed my account to be breached.

That apparently struck a chord and I heard from them. They offered me a gift card in this major drugstore chain and I said to them that will not suffice for the pain and suffering and the aggravation and the time off from work I had to take to deal with the thought of how violated I felt by their negligence, and so they said they would get back to me.

After a few days went by, I sent them another note via Twitter, telling them they obviously are not taking this seriously and I have to take this to the next level. That apparently once again shook their tree and got them to come back to me.

This time (Friday 11/30), we spoke about compensation and they said for me to let them know what compensation it would take to make it right. They had wanted me to give them a figure, but I told them to re-ponder the whole situation again in my mind will cause me over and above additional stress. Together, we just touched on a figure of a thousand/thousands or higher, and they said they understand, and they will get back to me with an amount as a starting point early in the week.

After the call, I realized that at this point, I should contact an attorney specializing in HIPAA laws, because in uncovering this, and taking it further, if they tell us how the breach happened and from where, I'd like to pursue, in addition to the compensation that will be due from the main breach from this major drugstore chain, then from my sister and brother-in-law, as well. There is enough evidence due to the closed court case with them (of which I touched on above), where you can clearly see intent, which should open the door to financial compensation for that from them, and definitely criminal, as well. However, in the minimum, this major drugstore chain is liable for this breach regardless of who breached the account, and they are fully aware that they are liable.

Please let me know how we should proceed.
Regards
 


Taxing Matters

Overtaxed Member
After the call, I realized that at this point, I should contact an attorney specializing in HIPAA laws, because in uncovering this, and taking it further, if they tell us how the breach happened and from where, I'd like to pursue, in addition to the compensation that will be due from the main breach from this major drugstore chain, then from my sister and brother-in-law, as well. There is enough evidence due to the closed court case with them (of which I touched on above), where you can clearly see intent, which should open the door to financial compensation for that from them, and definitely criminal, as well. However, in the minimum, this major drugstore chain is liable for this breach regardless of who breached the account, and they are fully aware that they are liable.

Please let me know how we should proceed.
Regards
You are probably lucky that the company is willing to consider paying you $1000 or perhaps more for this. It is likely doing so simply for public relations purposes. When Congress enacted HIPAA it did not include any private cause action. In plain language, there is no right under HIPAA to sue the pharmacy for money damages over this. The sole remedy for a HIPAA violation is to complain to the U.S. Department of Health and Human Services (HHS). HHS has the power to enforce HIPAA and impose significant fines for violators.

You are then left to sue for negligence under state law. Negligence in this circumstance means that the pharmacy failed to have reasonable practices in place to prevent the improper disclosure of your information. The practices don't have to be perfect. If they had good procedures in place but your sister and/or her husband were able to get around them because they had a lot of your personal information already and could fool the pharmacy into thinking they were you then the fault is not with the pharmacy; the fault there is with your sister and her husband.

Then even if you could prove negligence, there is the issue of damages. You have not mentioned suffering any legally recognized damages out of this, e.g. financial loss, etc. Emotional distress, being upset, etc, are generally not something for which the law compensates you. Most of the things that upset us in life don't allow us to sue the other person for money. The cases in which you can recover solely for emotional distress are generally limited to those situations in which the defendant's conduct was truly outrageous and offensive, the sort of thing that would severely offend just about anyone. This kind of problem does not rise to that level of outrageous and offensive behavior. Note that the cost to sue may well exceed what you might win even if that was compensable and you don't get awarded legal fees, etc., if you win.

Feel free to consult a personal injury lawyer about this. Many will give you a free initial consultation. Maybe some fact you didn't mention would make a difference.

But you might want to consider taking the offer on the table when they make it. If you push too much they may just say "screw it" and give you nothing.
 

cbg

I'm a Northern Girl
As a former poster here used to say, You have not won the lawsuit lottery here - you have not even won the lottery scratch ticket.

If they're willing to give you any compensation at all, take it and run.
 

quincy

Senior Member
First, here is a link to the New York Office of Mental Health on HIPAA Privacy Rules for the Protection of Health and Mental Health Information:

https://www.omh.ny.gov/omhweb/hipaa/phi_protection.html

As mentioned previously, there is no private cause of action available to pursue for a violation of HIPAA.

New York does not recognize invasion of privacy as a separate tort action. All privacy claims are covered under New York's Civil Rights Law, sections 50 and 51.

Here are links to privacy claims under the Civil Rights Law:
Section 50-B: https://www.nysenate.gov/legislation/laws/CVR/50-B
Section 50-C:
https://www.nysenate.gov/legislation/laws/CVR/50-C

You could review facts with an attorney in your area. Good luck.
 

rj2010

Junior Member
These responses require a two-pronged approach:

To those under cover of a made up username taking shots at me....I understand perhaps you have Mommy or Wife issues. Here's a Kleenex for you,
big boys. Don't let that big bad woman push you around! She's already made you cloak your privates in...well...private. Silly little boys must grow up

To those with useful comments...I thank you

Happy Holidays to the real men on here...you know who you are!
 

rj2010

Junior Member
Yes, for all of the valid and on topic responses from the women in this thread, my apologies, and wishing you the best and Happiest of Holidays, as well.
 

quincy

Senior Member
Yes, for all of the valid and on topic responses from the women in this thread, my apologies, and wishing you the best and Happiest of Holidays, as well.
Happy holidays, rj2010.

I hope you are able to find some relief for your issues, both legal and otherwise.
 

Dandy Don

Senior Member
Is there any way that your sister or brother-in-law could have used your own personal computer to access your chain drugstore account? If they had used a different computer from yours to access it, if the drugstore software had adequate security, it seems the website should have or would have blocked a different computer than yours from gaining access to the site, but I guess any software can have flaws.

Have you checked the other account details to see whether your address had been changed, phone number, etc.?

Did they benefit from the access (order or purchase any medications ) or do you think it was done merely out of spite?

You have no way of proving exactly who committed the breach (your sister or brother-in-law? a drugstore employee?)

If I were you I would be consulting with an attorney who specializes in cybersecurity law to help you determine if you have any options, including whether or not you have a legal basis for pursuing a lawsuit.

Even though this has been very upsetting, it is going to be extremely difficult, if not impossible, for you to prove specifically how you were damaged by this breach.

The company is not likely to give you any information on how the breach happened, because they are still investigating and will want to keep that information private.

If you can negotiate yourself to get them to pay you a few thousand dollars, then take what you can get and consider the matter closed. Because of the small amount of money involved, there will be a hard time for you even finding an attorney willing to accept this case because there is not much financial incentive. And the company will probably ask you to sign a statement in which you promise not to pursue further legal action after you have accepted the check.
 

Find the Right Lawyer for Your Legal Issue!

Fast, Free, and Confidential
data-ad-format="auto">
Top