Improper ShopRite PHI Disposal Incident Affects Almost 10,000 Individuals

It has been discovered that an electronic device, used to record the signatures of clients, has been disposed of without first clearing the device of all saved protected health information at a ShopRite pharmacy in Millville, New Jersey

A small amount of protected health information was saved on the device, which incorporated patients’ names, dates of birth, phone numbers, zip codes, prescription details, medication names, signatures, date and time of collection/delivery, and in some instances, details of over-the-counter medications containing pseudoephedrine (PSE).

The device was utilized by customers to acknowledge the store’s privacy policy and payment for prescriptions by insurance suppliers. Data was also gathered on sales of products containing PSE to adhere to legal requirements.

People affected by the incident had collected prescriptions or bought PSE products between 2007 and 2013. The device was not used after June 2016.

The improper disposal of the device is not thought to have resulted in PHI being compromised and no reports of PHI access or misuse have been submitted to ShopRite, Union Lake Supermarket, or Wakefern Food Corp.

People whose PHI has been exposed have been made aware by mail and advised of the measures they can take to minmize the risk of PHI misuse, such as checking their financial accounts closely and monitoring Explanation of Benefits statements for signs of improper of their insurance information.

ShopRite has reacted to the incident by refreshing and strengthening its policies and procedures regarding removal of PHI from computers and other electronic devices and the safe and secure disposal of electronic technology. Employees have also been given further training on privacy and security.

The breach report filed to the HHS’ Office for Civil Rights indicates 9,956 people have been affected by the incident.

HIPAA Rules require all electronic data to be completely erased from electronic devices before disposal. All PHI must be made unreadable and indecipherable, and a method should be used to delete data that prevents the information from being reconstructed.

With ePHI this can be achieved through safe clearing and overwriting of data, purging by exposing the device to powerful magnetic fields, or destroying the device by burning, incineration or an alternative method.