CVS Caremark Corp. will overhaul its information security system and pay the state of Texas $315,000 to settle a lawsuit that accused the drugstore operator of dumping credit card numbers, medical information and other material from more than 1,000 customers into a garbage container. Texas Attorney General Greg Abbott, who sued CVS in April 2007, announced the agreement.
Woonsocket, R.I.-based CVS Caremark, which operates the nation's largest retail pharmacy chain, was accused of failing to protect its customers from identity theft at a store in Liberty, Texas.
Records allegedly dumped by employees behind the store included credit and debit card numbers and prescription forms that contained customers' names, addresses, dates of birth and types of medications, Abbott has said.
CVS' revamped information security program must have administrative, technical and physical safeguards designed to protect the personal information of customers. It also must create a training program to inform new hires of its enhanced security procedures and conduct unannounced compliance checks at some stores, among other measures.