Improper ShopRite PHI Disposal Incident Affects Almost 10,000 Individuals

by | Mar 16, 2018

It has been discovered that an electronic device, used to record the signatures of clients, has been disposed of without first clearing the device of all saved protected health information at a ShopRite pharmacy in Millville, New Jersey

A small amount of protected health information was saved on the device, which incorporated patients’ names, dates of birth, phone numbers, zip codes, prescription details, medication names, signatures, date and time of collection/delivery, and in some instances, details of over-the-counter medications containing pseudoephedrine (PSE).

The device was utilized by customers to acknowledge the store’s privacy policy and payment for prescriptions by insurance suppliers. Data was also gathered on sales of products containing PSE to adhere to legal requirements.

People affected by the incident had collected prescriptions or bought PSE products between 2007 and 2013. The device was not used after June 2016.

The improper disposal of the device is not thought to have resulted in PHI being compromised and no reports of PHI access or misuse have been submitted to ShopRite, Union Lake Supermarket, or Wakefern Food Corp.

People whose PHI has been exposed have been made aware by mail and advised of the measures they can take to minmize the risk of PHI misuse, such as checking their financial accounts closely and monitoring Explanation of Benefits statements for signs of improper of their insurance information.

ShopRite has reacted to the incident by refreshing and strengthening its policies and procedures regarding removal of PHI from computers and other electronic devices and the safe and secure disposal of electronic technology. Employees have also been given further training on privacy and security.

The breach report filed to the HHS’ Office for Civil Rights indicates 9,956 people have been affected by the incident.

HIPAA Rules require all electronic data to be completely erased from electronic devices before disposal. All PHI must be made unreadable and indecipherable, and a method should be used to delete data that prevents the information from being reconstructed.

With ePHI this can be achieved through safe clearing and overwriting of data, purging by exposing the device to powerful magnetic fields, or destroying the device by burning, incineration or an alternative method.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy