Improper ShopRite PHI Disposal Incident Affects Almost 10,000 Individuals

by Ryan Coyne | Mar 16, 2018

It has been discovered that an electronic device, used to record the signatures of clients, has been disposed of without first clearing the device of all saved protected health information at a ShopRite pharmacy in Millville, New Jersey

A small amount of protected health information was saved on the device, which incorporated patients’ names, dates of birth, phone numbers, zip codes, prescription details, medication names, signatures, date and time of collection/delivery, and in some instances, details of over-the-counter medications containing pseudoephedrine (PSE).

The device was utilized by customers to acknowledge the store’s privacy policy and payment for prescriptions by insurance suppliers. Data was also gathered on sales of products containing PSE to adhere to legal requirements.

People affected by the incident had collected prescriptions or bought PSE products between 2007 and 2013. The device was not used after June 2016.

The improper disposal of the device is not thought to have resulted in PHI being compromised and no reports of PHI access or misuse have been submitted to ShopRite, Union Lake Supermarket, or Wakefern Food Corp.

People whose PHI has been exposed have been made aware by mail and advised of the measures they can take to minmize the risk of PHI misuse, such as checking their financial accounts closely and monitoring Explanation of Benefits statements for signs of improper of their insurance information.

ShopRite has reacted to the incident by refreshing and strengthening its policies and procedures regarding removal of PHI from computers and other electronic devices and the safe and secure disposal of electronic technology. Employees have also been given further training on privacy and security.

The breach report filed to the HHS’ Office for Civil Rights indicates 9,956 people have been affected by the incident.

HIPAA Rules require all electronic data to be completely erased from electronic devices before disposal. All PHI must be made unreadable and indecipherable, and a method should be used to delete data that prevents the information from being reconstructed.

With ePHI this can be achieved through safe clearing and overwriting of data, purging by exposing the device to powerful magnetic fields, or destroying the device by burning, incineration or an alternative method.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter