[Med-privacy] CVS

Peter Marshall pwm@comcast.net
Sun, 26 Jun 2005 14:09:36 -0700 

--Apple-Mail-6--220944467
Content-Type: multipart/alternative;
	boundary=Apple-Mail-7--220944467


--Apple-Mail-7--220944467
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=WINDOWS-1252;
	format=flowed


CVS ends Web site feature over privacy concerns
An unauthorized person could track other customers=92 purchases by =
e-mail

  News Story by Todd R. Weiss

--Apple-Mail-7--220944467
Content-Transfer-Encoding: quoted-printable
Content-Type: text/enriched;
	charset=WINDOWS-1252

<fontfamily><param>Helvetica</param>

<bold><bigger><bigger><x-tad-bigger>CVS ends Web site feature over
privacy
=
concerns</x-tad-bigger></bigger></bigger></bold></fontfamily><fontfamily><=
param>Helvetica</param>=20

<bigger>An unauthorized person could track other customers=92 purchases
by e-mail


</bigger><x-tad-smaller> News Story by
</x-tad-smaller><color><param>0000,3333,9999</param><x-tad-smaller>Todd
R. Weiss</x-tad-smaller></color><x-tad-smaller>=20

</x-tad-smaller></fontfamily>=

--Apple-Mail-7--220944467--

--Apple-Mail-6--220944467
Content-Transfer-Encoding: base64
Content-Type: image/gif;
	x-unix-mode=0666;
	name="clear.gif"
Content-Disposition: inline;
	filename=clear.gif

R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==

--Apple-Mail-6--220944467
Content-Type: multipart/alternative;
	boundary=Apple-Mail-8--220944467


--Apple-Mail-8--220944467
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=WINDOWS-1252;
	format=flowed


  JUNE 23, 2005  (COMPUTERWORLD)  - Retail drugstore chain CVS Corp. has=20=

temporarily disabled a feature on its Web site that allowed an=20
unauthorized person to improperly obtain customer purchase records via=20=

e-mail.

In a statement yesterday, Woonsocket, R.I.-based CVS acknowledged that=20=

it had disabled a feature that allows registered users of its CVS=20
ExtraCare loyalty cards to track purchases made under =93flexible=20
spending accounts=94 (FSA) set up through their employers. The loyalty=20=

cards offer discounts to shoppers who register for the cards and allow=20=

CVS to gather information about their purchases.

More than 50 million customers use its ExtraCare loyalty cards, CVS=20
said.

The problem with the ExtraCare cards, said Katherine Albrecht, founder=20=

and director of the Web-based consumer group CASPIAN (Consumers Against=20=

Supermarket Privacy Invasion and Numbering), is that anyone can access=20=

a cardholder=92s purchase records if they have the user=92s 11-digit=20
account number, ZIP code and the first three letters of their last=20
name. Such scenarios could occur, she said, when an ExtraCare=20
cardholder takes his car to a mechanic and hands over their keys --=20
including the ExtraCare key ring card that has a printed account number=20=

on it.

As part of its ExtraCare FSA records, CVS collects and stores data=20
about a cardholder=92s purchases, including the time and date of the=20
purchase, items purchased, store location, universal product code and=20
the customer=92s name, Albrecht said. Cardholders could go to the CVS=20
ExtraCare Web page and request a copy of their FSA purchases via=20
e-mail, but the feature was disabled this week.

=93The biggest issue is why does CVS have all this data on the site in=20=

the first place?=94 Albrecht said.

CVS didn't respond to several requests for comment. But in its=20
statement, the company said the online feature was designed to provide=20=

customers with =93easy access to their own purchase information for=20
purposes of filing FSA claims for over-the-counter items.=94

The information on the Web site doesn't include prescription purchases,=20=

nor does it include Social Security numbers or credit card numbers that=20=

could lead to identity theft, the company said.

=93The security procedures implemented to protect information ...=20
accessed for FSA-related customer needs have been carefully designed,=20
and we believe are effective,=94 the statement said. =93We have received=20=

absolutely no indication from any of our ExtraCare cardholders that=20
this information had been improperly accessed.=94

CVS said it won=92t bring the FSA feature back until it has created=20
=93additional security hurdles for accessing this purchase information=94=20=

online.

CASPIAN is a grass-roots consumer group that has opposed retail=20
surveillance efforts since 1999.

  Copyright =A9 2005 Computerworld Inc=

--Apple-Mail-8--220944467
Content-Transfer-Encoding: quoted-printable
Content-Type: text/enriched;
	charset=WINDOWS-1252

<fontfamily><param>Helvetica</param>

<x-tad-smaller> JUNE 23, 2005=20
=
</x-tad-smaller><color><param>0000,3333,9999</param><x-tad-smaller>(COMPUT=
ERWORLD)</x-tad-smaller></color><x-tad-smaller>=20
- Retail drugstore chain CVS Corp. has temporarily disabled a feature
on its Web site that allowed an unauthorized person to improperly
obtain customer purchase records via e-mail.


In a
=
</x-tad-smaller><color><param>0000,3333,9999</param><x-tad-smaller>stateme=
nt</x-tad-smaller></color><x-tad-smaller>
yesterday, Woonsocket, R.I.-based CVS acknowledged that it had
disabled a feature that allows registered users of its CVS ExtraCare
loyalty cards to track purchases made under =93flexible spending
accounts=94 (FSA) set up through their employers. The loyalty cards
offer discounts to shoppers who register for the cards and allow CVS
to gather information about their purchases.


More than 50 million customers use its ExtraCare loyalty cards, CVS
said.


The problem with the ExtraCare cards, said Katherine Albrecht, founder
and director of the Web-based consumer group CASPIAN (Consumers
Against Supermarket Privacy Invasion and Numbering), is that anyone
can access a cardholder=92s purchase records if they have the user=92s
11-digit account number, ZIP code and the first three letters of their
last name. Such scenarios could occur, she said, when an ExtraCare
cardholder takes his car to a mechanic and hands over their keys --
including the ExtraCare key ring card that has a printed account
number on it.


As part of its ExtraCare FSA records, CVS collects and stores data
about a cardholder=92s purchases, including the time and date of the
purchase, items purchased, store location, universal product code and
the customer=92s name, Albrecht said. Cardholders could go to the CVS
ExtraCare Web page and request a copy of their FSA purchases via
e-mail, but the feature was disabled this week.


=93The biggest issue is why does CVS have all this data on the site in
the first place?=94 Albrecht said.


CVS didn't respond to several requests for comment. But in its
statement, the company said the online feature was designed to provide
customers with =93easy access to their own purchase information for
purposes of filing FSA claims for over-the-counter items.=94


The information on the Web site doesn't include prescription
purchases, nor does it include Social Security numbers or credit card
numbers that could lead to identity theft, the company said.


=93The security procedures implemented to protect information ...
accessed for FSA-related customer needs have been carefully designed,
and we believe are effective,=94 the statement said. =93We have received
absolutely no indication from any of our ExtraCare cardholders that
this information had been improperly accessed.=94


CVS said it won=92t bring the FSA feature back until it has created
=93additional security hurdles for accessing this purchase information=94
online.


CASPIAN is a grass-roots consumer group that has opposed retail
surveillance efforts since 1999. =20


=
</x-tad-smaller><color><param>3333,3333,3333</param><smaller><x-tad-smalle=
r>
Copyright =A9 2005 Computerworld =
Inc</x-tad-smaller></smaller></color></fontfamily>=

--Apple-Mail-8--220944467--

--Apple-Mail-6--220944467--