Business

Pharmacies sharing medical data without police warrant: Congressional investigation

A congressional investigation has discovered that law enforcement agencies have been accessing patient prescription records through pharmacies without warrants, with most people unaware that their private data is being handed over to authorities.

Sen. Ron Wyden (D-Ore.), chair of the Senate Finance Committee, along with Democratic Reps. Pramila Jayapal (Wash.) and Sara Jacobs (Calif.) alerted the Department of Health and Human Services (HHS) of what they’ve uncovered.

“Through briefings with the major pharmacies, we learned that each year law enforcement agencies secretly obtain the prescription records of thousands of Americans without a warrant. In many cases, pharmacies are handing over sensitive medical records without review by a legal professional,” the lawmakers said in a letter to HHS.

“Although pharmacies are legally permitted to tell their customers about government demands for their data, most don’t,” they continued. “As a result, many Americans’ prescription records have few meaningful privacy protections, and those protections vary widely depending on which pharmacy they use.”

Lawmakers surveyed eight major pharmacy chains — CVS Health, Walgreens Boots Alliance, Cigna, Optum Rx, Walmart Stores Inc., The Kroger Co. and Rite Aid Corp. — along with Amazon Pharmacy. Of those that were surveyed, Amazon Pharmacy was the only that affirmed it had a policy of informing customers when law enforcement requested their records.


None of the companies said they require a warrant before providing pharmacy records to law enforcement agencies. The lawmakers noted in their letter that records were provided in response to a “mere subpoena.”

According to the letter on Tuesday, five of these companies said any demands for pharmacy records were reviewed by legal professionals before a response was sent.

Three companies — CVS Health, The Kroger Co. and Rite Aid Corp. — said, however, that their staff faced extreme pressure to provide an immediate response. As such, their staff are instructed to process records requests in-store. CVS Health and Kroger apparently both argued that their staff are trained to respond to these requests and have access legal departments if they have questions.

CVS Health, Walgreens Boots Alliance and Kroger committed to publishing annual transparency reports on law enforcement demands before or during the course of the congressional inquiry. CVS Health has said it will publish the first of these transparency reports in the first quarter of 2024.

When reached for comment, CVS Health said in a statement that their processes are consistent with the Health Insurance Portability and Accountability Act (HIPAA), the federal law restricting release of medical information. “The Office for Civil Rights, the agency that enforces HIPAA, has reviewed our processes on multiple occasions and deemed them to be compliant. Additionally, our processes are consistent with industry practices,” according to the statement.

CVS Health further claimed that it is required “by law” to keep records requests from regulatory and law enforcement agencies confidential and that it considers whether to notify individuals at the subject of such inquiries on a “case-by-case” basis.

“We’re committed to protecting our customers’ privacy—not only because it’s required by law, but because it’s the right thing to do,” an Amazon spokesperson said in a statement. 

“When required by law, we cooperate with law enforcement officials and comply with court orders. Amazon Pharmacy notifies a customer prior to disclosing health information to law enforcement as long as there is no legal prohibition to doing so. Requests from law enforcement are rare, and represent a very small percentage of the prescriptions we fill for customers.”

The Hill has reached out to the other pharmacies cited in the letter Tuesday.

When justifying their lax requirements on records requests, the pharmacy chains cited HHS regulations that allow them to disclose records if required by law or pursuant to a legal process, according to the lawmakers.

“We urge HHS to consider further strengthening its HIPAA regulations to more closely align them with Americans’ reasonable expectations of privacy and Constitutional principles,” the lawmakers wrote.

“Pharmacies can and should insist on a warrant, and invite law enforcement agencies that insist on demanding patient medical records with solely a subpoena to go to court to enforce that demand. The requirement for a warrant is exactly the approach taken by tech companies to protect customer privacy.”

The Hill has reached out to HHS for comment.

This story was updated at 5:11 p.m.