A friend of mine, Ms. S., recently had an unsettling experience with a company called Caremark (the parent company of pharmacy CVS), whom she fills her prescriptions through. She was reordering a prescription refill she buys through the mail, and needed to pay for it. She tried logging onto their website to pay, as I’m sure thousands of people do everyday, but because her order was “In process,” it wouldn’t let her pay for it.
Caremark called her this morning. The conversation went something like this…
Caremark: “Hi, this is ****** from Caremark. I’m calling about a recent order. Can I get you to verify your name, date of birth and mailing address?”
Ms. S: “I’m sorry, but how do I know you’re from Caremark? You called me.”
Caremark: “I understand that, but I need to verify this information with you before I can tell you what I’m calling about.”
Ms. S: “You called me. I don’t know if you’re Caremark or someone phishing for account information from me. Why you don’t you tell me the information you have, and I’ll verify it’s correct.”
Caremark: “Sorry, due to HIPAA regulations, I can’t do that in order to protect patient privacy.”
Apparently Caremark is completely unaware that calling someone out of the blue and asking them to “confirm” publicly-accessible personally identifiable information is really not a legitimate way to operate. It violates the common wisdom that any security expert will tell you about identity theft — never give out personally identifiable information on the telephone or in email if you can’t confirm the identity of the person asking for it.
How did this pass Caremark’s best practices group? Is this any way to run a company in the business of dealing with sensitive health data and patient records?? Asking people to violate the cardinal rule of keeping your personal information private.
Nonetheless, apparently needing to meet their hourly customer service quota, the Caremark customer service representative proceeded to tell Ms. S what he was calling about anyway — even though he had no idea who he was actually talking to.
Caremark: “So anyway, the reason I’m calling is that we see you have a refill pending with us, but we need you to pay the balance on this account before we can process your refill.”
Ms. S: “Yes, I tried paying this online, but it wouldn’t let me. It said the order was ‘in process’ or something like that, and I couldn’t pay it online. ”
Caremark: “Well, I’d be happy to accept your credit card information on the phone right now so we can take care of this matter.”
Ms. S: “Again, for the third time, I don’t know who this is. Do you honestly expect me to give out my credit card information just because someone calls me and says they’re with a company I do business with?”
Caremark: “I’m sorry you feel that way. We can’t process your order until we receive payment.”
At this point, from the tone of his voice, the Caremark representative was apparently annoyed Ms. S. told me while relating the story. She saw he didn’t really understand the issue at hand, and probably wouldn’t get any further by trying to point out the problems in asking people for information like this when they initiate the phone call.
Ms. S: “I understand that. Maybe you should upgrade your website to let it accept payments even when an order is ‘in process.’ Anyways, I’ll call the customer service line at my convenience or send you a check.”
Caremark: “Okay. Thank you.”
Ms. S: “Goodbye.”
What an unsettling phone call. They “understand” HIPAA, but apparently don’t understand personal security best practices.
Good Security Practices for Personal Information
Conversations like the above should never occur with a company entrusted with our health data and personal information. It demonstrates a complete lack of understanding of social engineering and the phishing attacks that most people receive every day — because it is a perfect example of a good social engineering attack. If someone wanted to, they could make 100 similar phone calls and I’m certain gain credit card information from at least one or two of those individuals. Without ever having to offer some sort of confirmation that they were indeed Caremark.
Caremark should change these customer service practices immediately. They entice people to provide personally-identifiable information without knowing who they are talking to. Worse, they encourage customers to also provide a stranger with their credit card information over the telephone to someone who called them.
Customers should never reveal any personally identifiable information to anyone who contacts them by telephone or email. Even if that information is correct, all it demonstrates is someone who is (a) either legitimate or (b) has searched public records (e.g., did their homework) in order to perpetuate the scam. And of course, it goes without saying, never give your credit card information to an individual who contacts you via the telephone or email. If you want to take the person up on their offer, call the customer service telephone number listed on a recent bill. That way you can be sure.