Alert: Reported Phishing Scam Affecting Pharmacy Teams and Patients in British Columbia.
The College has received multiple reports from community pharmacies in BC of a phishing scam targeting patients for their personal information.
A number of patients have received phone calls from a caller posing as a pharmacy staff member and asking for personal and/or credit card information.
The excuses provided by the scammer for needing patients’ personal and/or credit card information include:
- Verifying card information for a delivery payment
- Updating patient profiles
- Rectifying a billing error
What to Do If You Receive a Suspicious Phone Call – Patients
Scammers may obtain your telephone number fraudulently or from public lists, such as a phone book. As such, even those with unlisted numbers can receive phishing phone calls.
Scammers will usually claim to represent legitimate companies or community pharmacies in an attempt to trick you into providing personal and/or credit card information.
The College urges patients and members of the public not to give your credit card or personal information over the phone, unless you made the call, or can verify that the caller is a registered health professional and/or that you have a professional care relationship with them.
If you are unable to verify the identity of the caller, the easiest thing to do is hang up and contact your pharmacist in person or over the phone to confirm that the request for information is legitimate.
If you receive an unsolicited call asking for credit card and/or personal information, and are unable to verify the legitimacy of the request, hang up and report the incident to The Canadian Anti-Fraud Centre and/or the RCMP or local police department.
Contacting The Canadian Anti-Fraud Centre
If you have been contacted by a scammer, you should report it to the Canadian Anti-Fraud Centre, even if you haven’t given them any money.
If you have lost money, you should contact your local police as well.
Reporting to the Canadian Anti-Fraud Centre
By phone: 1-888-495-8501 (toll free)
Online: Fraud Reporting System
What To Do If You Think You’ve Been Scammed
If you have given your personal, health or credit card information to a caller that you now suspect to have been fraudulent, The Canadian Radio-television and Telecommunications Commission (CRTC) recommends the following:
- Alert your financial institution. If you have provided your account details to a scammer, contact your bank or financial institution immediately and let them know.
- Get further assistance. Contact the Canadian Identity Theft Support Centre at http://idtheftsupportcentre.org/ or by dialing 1-866-436-5461.
- File a complaint. You can report unwanted telemarketing calls at www.lnnte-dncl.gc.ca or by calling 1-866-580-DNCL (3625).
- Contact law enforcement. If you think the call might be part of a fraud scheme, contact law enforcement authorities or the Canadian Anti-Fraud Centre.
Protecting Patient Confidentiality and Health Information in BC – Expectations for Registrants
There are many layers to ensuring personal health information is protected – from following BC’s privacy legislation and establishing appropriate operational policies , to upholding ethical obligations. Modern pharmacy practice also uses a number pharmacy database systems, such as PharmaNet in BC, for tasks that include data collection and patient record management which also require high standards to ensure health information security.
Privacy Protection Legislation in BC
In British Columbia, there are two distinct pieces of legislation governing the protection of privacy:
- Public bodies (such as health authorities and the College) fall under the Freedom of Information and Protection of Privacy Act (FOIPPA).
- Businesses (such as community pharmacies) fall under the Personal Information Protection Act (PIPA).
Disclosure of Personal Health Information
Section 25.94 of the Health Professions Act states that a pharmacist must not disclose, or allow a support person, a registrant who is not a pharmacist, or another employee to disclose, personal health information to a person other than the person who is the subject of that record.
(2) Subject to the bylaws, a pharmacist, on request, must disclose personal health information to
(a) the person who is the subject of the record, or
(b) a person authorized in writing, by the person who is the subject of the record, to receive the information.
(3) Subject to the bylaws, a pharmacist, on request, must disclose relevant personal health information to
(a) another pharmacist for the purpose of dispensing a drug or device,
(b) another pharmacist or a practitioner for the purpose of monitoring drug use,
(c) a federal or Provincial government payment agency or an insurer that makes reimbursement for the cost of prescribed drugs, devices or pharmacy services for the purpose of claims or payment administration, including the performance of audits, or
(d) the college for the purpose of monitoring the practice of pharmacy.
Code of Ethics
Standard 4 of the College’s Code of Ethics sets out requirements for ensuring patient information is kept confidential.
- Registrants respect their patients’ right to privacy and confidentiality.
- Registrants do their utmost to protect patient confidentiality when they share patient information with colleagues or other health care professionals
- Registrants do not disclose confidential information without the consent of the patient, unless provided for by law or by the need to protect the welfare of the individual or the public interest.
- Registrants maintain confidentiality in creating, storing, accessing, transferring and disposing of records they control
Pharmacy System Security
PharmaNet is a valuable tool for protecting public safety. It allows pharmacy professionals to review a patient’s complete medication history and check a prescription for drug allergies and harmful drug interactions before dispensing medication.
In order to uphold legislative requirements and ethical obligations regarding patient privacy and confidentiality, it is vital that pharmacies practice proper system security when using PharmaNet or other pharmacy database systems.
The Pharmacy Operations and Drug Scheduling Act (PODSA), Bylaws, s. 35(2), sets out the following rules regarding Data Collection, Transmission of and Access to PharmaNet Data:
s.35 (2) A registrant may collect and record patient information in PharmaNet, or access, use and disclose a patient’s PharmaNet record only for the purposes of:
(a) dispensing a drug;
(b) providing patient consultation;
(c) evaluating a patient’s drug usage;
(d) claims adjudication and payment by an insurer; or
(e) providing pharmacy services to, or facilitating the care of, the individual whose personal information is being collected, accessed, used or disclosed.
All registrants should ensure their network accounts are secure and remember they are ultimately responsible for all activity associated with their licence number.
The PharmaNet Professional and Software Compliance Standards, Volume 5 provides standards for PharmaNet System Security with regards to:
- User IDs
- Passwords, and
- Other Authentication
- Pharmacy Matters: Pharmacy System Security
- Pharmacy Matters: PharmaNet Access.
- ReadLinks: Personal Health Information and Privacy Rights
- Canadian Anti-Fraud Centre
- Personal Information Protection Act
- Canadian Radio-television and Telecommunications Commission – How to Protect Yourself from Scammers