When Target announced this week that it was selling its pharmacy business to CVS, it was good news for CVS, which will add more than 1,660 pharmacies across 47 states — plus 80 clinics — to its network of some 7,800 drugstores and almost 1,000 clinics. But lost amid all of the mega-drugstore talk are some extremely likely data security and privacy problems and HIPAA horrors.
What we have is a potential data security train wreck. Screaming in one track is Target's collection of highly sensitive personal prescription and medical history, one of the largest in the world, while barreling in on the other track we have Target's employees, who have little incentive to carefully follow data transfer protocols now that the data is about to be taken over by another company — and who likely suspect that they will not be Target employees much longer.
CVS itself a few years back got its hand slapped when it tossed its own sensitive records. And the history of companies going ultra-lackluster when closing down a business is littered with examples such as what Blockbuster did in New York City, leaving "boxes and boxes of customer membership applications, containing valuable personal information, all sitting on the sidewalk in plain sight."
Even under ideal conditions, transferring such a huge volume of highly sensitive customer information to another company would be a big security risk. How will it be sent? With these two companies involved, a shared VPN is unlikely. Will it be physically shipped on media? And when CVS accesses that privacy treasure trove, what security procedures will it use? It's unlikely that CVS has a regular procedure for handling such a huge quantity of data. It can create one, of course, but that procedure will be untested.
If anything goes wrong at either end — or, for that matter, as the data is moving — the problem will be substantial.
And lots of things could go wrong. During the transition, the number of people who will have access to this sensitive data will soar, quite possibly double. Like any other secret, the more people who have access, the greater the chance that something will be mishandled, deliberately or accidentally.
As for "deliberately," if you don't think that identity thieves are right now dialing soon-to-be-former Target pharmacy IT people and offering them generous cash incentives to make an extra copy of those databases, you're fooling yourself. It's a situation ripe for social engineering tactics as well. Target's people could get calls from people claiming to be their CVS counterparts, asking them to send the data slightly differently than was planned. Will a meaningful authentication system exist? It's a very plausible pretense, and it's unlikely that Target's rank-and-file IT will know many of their CVS opposite numbers.
What can be done about any of this? The biggest element of security is to realistically anticipate any attacks and to prepare countermeasures. Has Target assigned any senior IT people to create these mechanisms and to personally oversee their implementation? Is the data exchange being negotiated and executed by small groups of people who will work together and who all have guaranteed jobs after the merger? (Guaranteed, that is, unless the data transfer doesn't go well.)
Pharmacy data is the ultimate in sensitive data. Unlike payment card data or passwords, prescription histories and medical data can't ever be changed. That means that an identity thief could grab a copy, shrewdly sit on it for months and then slowly use it for nefarious purposes, knowing that it will remain accurate and usable for as long as the thief needs it.
So congrats to CVS on an impressive expansion deal. Let's just hope that part of your investment is going to a team to prevent any privacy disasters.
This article is published as part of the IDG Contributor Network. Want to Join?