Following claims of breaches of federal and state legislation, linked to a data breach involving the protected health information of 9,700 customers of two ShopRite supermarkets in Millville, New Jersey and Kingston NY, Wakefern Food Corporation has agreed to pay $235,000 in civil financial penalties and implement a range of security enhancements.
Wakefern Food Corporation is the parent company of Union Lake Supermarket, LLC, which owns the ShopRite store in Millville and ShopRite Supermarkets, Inc., which owns the ShopRite store in Kingston, NY.
Back in 2016, Wakefern removed electronic devices ,that were used to collect customer signatures and purchase information at the two locations, from use. The old devices were thrown away in regular dumpsters without being put our of used or purged of the information they were holding. The devices were holding the protected health information of 9,700 customers of the two stores incorporating names, contact details, zip codes, driver’s license numbers, dates of birth, prescription numbers, prescription types, collection and delivery dates.
After the submission of reports about the improper destruction of ePHI, the New Jersey Division of Consumer Affairs launched an investigation and found that the disposal of the devices was in breach of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and there had been a number of violations of the state’s fraud act. Workers at the stores had also not been provided with appropriate training on the handling and disposal of sensitive data.
New Jersey Attorney General Gurbir S. Grewal said: “Pharmacies have a legal obligation to protect the privacy and security of the patient information they collect, and to properly dispose of that information when the time comes. Those who compromise consumers’ private health information face serious consequences.”
Wakefern has agreed to pay $209,856.50 in civil penalties and $25,143.50 for reimbursement of attorneys’ fees and auditing costs and will enhance security measure to tackle any future cyberattacks or breaches. Those measures include hiring a chief privacy officer, executing a business associate agreement with ShopRite Supermarkets, Union Lake, and each of the members that run pharmacies in the supermarkets, and ensuring proper measures are put in place to safeguard protected health information. All of the ShopRite stores that has a pharmacy must appoint a HIPAA privacy officer and HIPAA security officer to manage compliance and online training must be provided for those officers on their privacy and security positions.
Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs said: “New Jersey consumers have a right to know that when they purchase a prescription medication at the neighborhood supermarket, their most private information will be fully protected under the law and not carelessly left to fall into the wrong hands. This settlement ensures that ShopRite supermarket pharmacies will be trained and monitored for HIPAA compliance to avoid future conduct that place consumers at risk for privacy invasion and identity theft.”