Wakefern Food Corp. and two of its ShopRite store owners have agreed to a $235,000 fine and will adopt new data security practices following an allegation that the companies improperly disposed of electronic devices used to collect information at the stores’ pharmacies.
The settlement was detailed in a release this week from the New Jersey attorney general in Newark, N.J.
According to Attorney General Gurbir Grewal, the stores—ShopRite units in Millville, N.J., and in Kingston, N.Y.—in 2016 discarded the equipment in dumpsters when replacing them with newer technology before having destroyed any information that they may have contained. This violated the federal Health Insurance Portability and Accountability Act (HIPAA) and the New Jersey Consumer Fraud Act.
Union Lake Supermarket LLC, owns the ShopRite store in Millville and ShopRite Supermarkets Inc. owns the Kingston store. Wakefern, based in Keasbey, N.J., is the member-owned buying and marketing cooperative for ShopRite’s owners.
The data breach may have exposed names, phone numbers, birthdates, driver’s license numbers, prescription numbers, medication names, dates and times of pickup or delivery, and customer zip codes for about 9,700 New Jersey residents that shopped at the two stores.
“Pharmacies have a legal obligation to protect the privacy and security of the patient information they collect, and to properly dispose of that information when the time comes,” said Grewal. “Those who compromise consumers’ private health information face serious consequences.”
As part of the settlement, Wakefern has agreed to put in place specific data protection measures aimed at creating and maintaining a comprehensive security program that will safeguard Protected Health Information (PHI) and the Electronic Protected Health Information (ePHI) collected at ShopRite supermarkets that operate in-store pharmacies.
Those protective measures include:
- Appointing a chief privacy officer.
- Executing a Business Associate Agreement with SRS, Union Lake and each of its members that operate pharmacies within 30 days of the settlement, to ensure that these entities will appropriately safeguard protected health information.
- Ensuring that all the ShopRite stores with pharmacies in the Wakefern cooperative designate a HIPAA privacy officer and HIPAA security officer.
- Providing online training for those officers on HIPAA security and privacy rules.
Additionally, Union Lake and ShopRite Stores have agreed to provide the New Jersey Division of Consumer Affairs with written assurances within 30 days of the settlement that they have designated HIPAA security and privacy officers and, within 120 days of the settlement, provide it with assurances that those officers completed the online training offered by Wakefern.
“New Jersey consumers have a right to know that when they purchase a prescription medication at the neighborhood supermarket, their most private information will be fully protected under the law and not carelessly left to fall into the wrong hands,” said Paul R. Rodríguez, acting director of the Division of Consumer Affairs. “This settlement ensures that ShopRite supermarket pharmacies will be trained and monitored for HIPAA compliance to avoid future conduct that place consumers at risk for privacy invasion and identity theft.”
The division also alleged that Wakefern, SRS and Union Lake engaged in multiple violations of the CFA by failing to properly collect and/or dispose of the electronic devices and failing to properly provide pharmacies with appropriate training on properly handling the ePHI contained on the devices.
The monetary settlement consists of $209,856.50 in civil penalties and $25,143.50 for reimbursement of attorneys’ fees and investigative costs.