IBM, my new employer, uses CVS Caremark as the prescription insurance provider. Since the other option when one signs up is no insurance, I signed up.

I shop occasionally at CVS, but it is rarely a pleasant experience. Most of their stores remind me of old run down K-Marts. They're dirty, terminally understaffed, and what staff there is seemed to have had the life sucked out of them. While I'm sure there are shiny locations and energetic staff, I haven't encountered either in a long time.

My scripts are consistently cheaper with this plan even when I fill them at other pharmacies. A win for me, no doubt.

Today my postal mail included a CVS Caremark envelope. I opened it up, expecting a benefits statement.

Instead I learned that I was opted in to CVS's data mining program, ExtraCare. Thus we're introduced to the creepy. You can tell that it is creepy because there's no privacy statement at all in the accompanying letter (oh, they sent me unsolicited cards). However, if one reads the very last sentence of the letter, in a paragraph in smaller text than everything else including the footnotes, one will see that:

Once you use this card at your local CVS/pharmacy or online, information about your purchases will be maintained by CVS retail.

How creepy is that? What purchases & to what extent? How do they protect my data? By the way, there are 16 references to "save", "savings, "discount", and associated words in the letter.

Oh, and they offer no easy way to get more information about the privacy implications or un-opt-in. They're not open until Monday at 08:30 ET and the web site is bereft of data.

Apparently even calling the 888 number for more information grants CVS rights under this letter. The rights they claim are to tie your data to the ExtraCare account you didn't ask for. Classy.

I'll update as I learn more.

My original entry is here: Creepy Employer Sponsored Marketing. It posted Sat, 14 Feb 2015 22:33:27 +0000.

Filed under: personal, privacy, HIPAA, PHI,