As looted prescription drugs flood Baltimore streets, fueling a surge in violence, pharmacy chain Rite Aid warned customers Wednesday that their personal medical information could be on the streets, too.
Store officials said the labels on prescriptions stolen during the late April riots included patient names, addresses and the names of medication, but not other sensitive data such as Social Security numbers or credit card numbers.
The alert nonetheless raised concern among privacy advocates who said the information could be used for fraud. Rite Aid has hired a risk management firm to help protect customers from identity theft.
The risk also extends to customers at looted pharmacies across the city. The Drug Enforcement Administration is reviewing surveillance footage from 27 pharmacies to possibly file charges against looters, and a spokesman said the agency would help monitor for any reports of medical identity fraud.
Depending on what information pharmacies include on prescription labels, criminals could improperly refill the prescriptions, bill medical care to the prescription holder's insurance or combine the information with other stolen data to commit larger acts of fraud, experts said. Medical data is gaining in value on black markets, prompting hackers to increasingly target health care organizations, such as CareFirst BlueCross BlueShield, the local insurer that last month revealed a data breach affecting more than 1 million customers.
"It would not surprise me if patients who used those pharmacies that were looted later learned they were victims of medical identity fraud," said Ann Patterson, senior vice president and program director of the Medical Identity Fraud Alliance.
On Wednesday, Baltimore Police Commissioner Anthony W. Batts said police were working with federal partners such as the Drug Enforcement Administration to seize more than 175,000 "units," or doses, of prescription drugs looted from 27 pharmacies and two methadone clinics when unrest erupted April 27, in the wake of the death of Freddie Gray from injuries sustained in police custody weeks earlier.
"There's enough narcotics on the streets of Baltimore to keep it intoxicated for a year," Batts said. "That amount of drugs has thrown off the balance on the streets of Baltimore."
DEA Special Agent Gary Tuggle said even more drugs have been stolen than reported. About 40 percent of the looted pharmacies have not finished counting losses, he said.
There is no evidence that personal information found on stolen prescriptions has been used for fraud, pharmacy and law enforcement officials said.
Still, Rite Aid officials said the chain has hired the risk management firm Kroll as a precaution "to alert impacted customers via a letter of notification and share with them the proactive measures it has taken to guard against identity theft."
Federal law requires organizations bound by medical privacy laws, such as pharmacies, to disclose breaches of customer data. The organizations have 60 days to notify customers of such breaches, according to the Department of Health and Human Services.
Concerned Rite Aid customers can call Kroll at 1-855-294-2551 between 9 a.m. and 6 p.m., or Rite Aid at 1-800-RITE-AID.
A spokeswoman for CVS Health said that chain also would be notifying patients whose personal information might have been compromised and would "let them know of steps they should take to protect against the misuse of their personal information."
Several CVS stores were looted, including one at Pennsylvania and North avenues that was set ablaze.
Peter Okojie, owner of two Care One pharmacies in Baltimore, said he had not heard any concerns over stolen information. Much of the drugs stolen from his pharmacies were later found on a school field, he said. Okojie said he was in communication with assisted-living facilities and other large customers about stolen drugs.
Even though prescription labels contain limited information, they still can be valuable to criminals, said Eva Velasquez, CEO of the Identity Theft Resource Center. Having some personal information "makes it a lot easier" for criminals to commit fraud, allowing them to exploit data like prescription or insurance identification numbers, she said.
And that's not to mention general privacy concerns about medical conditions' being made public.
"There's definitely a strong sense of violation any time people feel like their personal information is out there in someone's hands," Velasquez said.
Patterson recommended that customers of any of the looted pharmacies closely monitor any medical correspondence they receive, such as "explanation of benefits" documents that show what billings an insurer has received. She emphasized people should scrutinize claims made to their insurers under their names, a field that many often overlook because they don't suspect fraud, and watch for any letters from unfamiliar hospitals or other care providers.
"As long as insurance pays for it, [people] don't really look at anything else," Patterson said.
Baltimore Sun reporters Justin George and Kevin Rector contributed to this article.