A friend of mine, Ms. S., recently had an unsettling experience with a company called Caremark (the parent company of pharmacy CVS), whom she fills her prescriptions through. She was reordering a prescription refill she buys through the mail, and needed to pay for it. She tried logging onto their website to pay, as I’m sure thousands of people do everyday, but because her order was “In process,” it wouldn’t let her pay for it.
Caremark called her this morning. The conversation went something like this…
Caremark: “Hi, this is ****** from Caremark. I’m calling about a recent order. Can I get you to verify your name, date of birth and mailing address?”
Ms. S: “I’m sorry, but how do I know you’re from Caremark? You called me.”
Caremark: “I understand that, but I need to verify this information with you before I can tell you what I’m calling about.”
Ms. S: “You called me. I don’t know if you’re Caremark or someone phishing for account information from me. Why you don’t you tell me the information you have, and I’ll verify it’s correct.”
Caremark: “Sorry, due to HIPAA regulations, I can’t do that in order to protect patient privacy.”
Apparently Caremark is completely unaware that calling someone out of the blue and asking them to “confirm” publicly-accessible personally identifiable information is really not a legitimate way to operate. It violates the common wisdom that any security expert will tell you about identity theft — never give out personally identifiable information on the telephone or in email if you can’t confirm the identity of the person asking for it.
How did this pass Caremark’s best practices group? Is this any way to run a company in the business of dealing with sensitive health data and patient records?? Asking people to violate the cardinal rule of keeping your personal information private.
Nonetheless, apparently needing to meet their hourly customer service quota, the Caremark customer service representative proceeded to tell Ms. S what he was calling about anyway — even though he had no idea who he was actually talking to.
Caremark: “So anyway, the reason I’m calling is that we see you have a refill pending with us, but we need you to pay the balance on this account before we can process your refill.”
Ms. S: “Yes, I tried paying this online, but it wouldn’t let me. It said the order was ‘in process’ or something like that, and I couldn’t pay it online. ”
Caremark: “Well, I’d be happy to accept your credit card information on the phone right now so we can take care of this matter.”
Ms. S: “Again, for the third time, I don’t know who this is. Do you honestly expect me to give out my credit card information just because someone calls me and says they’re with a company I do business with?”
Caremark: “I’m sorry you feel that way. We can’t process your order until we receive payment.”
At this point, from the tone of his voice, the Caremark representative was apparently annoyed Ms. S. told me while relating the story. She saw he didn’t really understand the issue at hand, and probably wouldn’t get any further by trying to point out the problems in asking people for information like this when they initiate the phone call.
Ms. S: “I understand that. Maybe you should upgrade your website to let it accept payments even when an order is ‘in process.’ Anyways, I’ll call the customer service line at my convenience or send you a check.”
Caremark: “Okay. Thank you.”
Ms. S: “Goodbye.”
What an unsettling phone call. They “understand” HIPAA, but apparently don’t understand personal security best practices.
Good Security Practices for Personal Information
Conversations like the above should never occur with a company entrusted with our health data and personal information. It demonstrates a complete lack of understanding of social engineering and the phishing attacks that most people receive every day — because it is a perfect example of a good social engineering attack. If someone wanted to, they could make 100 similar phone calls and I’m certain gain credit card information from at least one or two of those individuals. Without ever having to offer some sort of confirmation that they were indeed Caremark.
Caremark should change these customer service practices immediately. They entice people to provide personally-identifiable information without knowing who they are talking to. Worse, they encourage customers to also provide a stranger with their credit card information over the telephone to someone who called them.
Customers should never reveal any personally identifiable information to anyone who contacts them by telephone or email. Even if that information is correct, all it demonstrates is someone who is (a) either legitimate or (b) has searched public records (e.g., did their homework) in order to perpetuate the scam. And of course, it goes without saying, never give your credit card information to an individual who contacts you via the telephone or email. If you want to take the person up on their offer, call the customer service telephone number listed on a recent bill. That way you can be sure.
John,
what I get from this story is that Caremark’ lawyers have fully taken over customer support and that they are very good at covering their ass. Mission #1 is “covering our ass”, just as it should be for any healthcare related company in this incredibly messy system where the customer may not even be the patient but a faceless payor.
I have heard even more absurd stories about people trying to get their test results from the lab companies, BTW. We all know, the system is broken at every turn.
I think this is coming more from finance rather than the legal department — they just want their money, at any cost (even to your own security).
I think if the legal department got wind that the customer service department of Caremark/CVS had scripts that resembled identity-theft phishing expeditions, they might quash it pretty quickly. There’s nothing that says “lawsuit” quite so quickly as finding out that the criminals use the exact same script your customer service representatives do!
Reminds me of the phishing call I once got from the Caribbean. They were going to deliver me a brand new SUV if I would only go down to Western Union and send them $800 to cover handling.
Most fun 10 minutes I had for quite a while…
My niece is a customer service rep for a different company but she explains that the rep continuing on to try and get a payment might be due to him trying to boost his performance metrics. I suppose the better way the rep could have provided the customer service number and just let that call be a reminder. She also tells me most of these guys earn commissions when they reach a certain performance level. Quality is rarely an issue and thrown out the window because it is a random check.
My sister had ID theft on the credit card she used only for Caremark online pharmacy! She checks her credit cards online often and 3 days after Caremark ran her card, charges started appearing unrelated to Caremark!! And her credit card address had been changed from Oregon to Iowa! Fortunately, she got all the charges stopped (they were still pending) and a new card issued. Not long after that happened she read about Caremark throwing credit card info in the dumpster.