ShopRite and its parent company Wakefern have agreed to pay New Jersey $235,000 over a lapse in data disposal security.
The companies agreed to the substantial settlement to resolve claims that they failed to protect the personal information of more than 9,700 New Jersey residents who shopped at ShopRite supermarkets in Millville, New Jersey, and Kingston, New York.
According to the allegations, the companies violated Health Insurance Portability and Accountability Act (HIPAA) regulations and the New Jersey Consumer Fraud Act (CFA) by failing to properly dispose of electronic devices used to collect the signatures and purchase information of pharmacy customers.
After the devices were replaced with newer technology by Wakefern in 2016, it is alleged that the old machines were simply tossed into dumpsters. Under HIPAA, any protected health information that may have been stored on the devices should have been removed prior to their disposal.
Data that may have been exposed in the security breach included names, phone numbers, birthdates, driver’s license numbers, prescription numbers, medication names, dates and times of pick-up or delivery, and customer zip codes.
"Pharmacies have a legal obligation to protect the privacy and security of the patient information they collect, and to properly dispose of that information when the time comes,” said Attorney General Gurbir Grewal.
“Those who compromise consumers’ private health information face serious consequences.”
As part of the settlement, Wakefern must implement specific data-protection measures aimed at safeguarding Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) collected at ShopRite supermarkets that operate in-store pharmacies.
The company, which is based in Kasbey, New Jersey, has agreed to appoint a chief privacy officer and to ensure that all ShopRite stores with pharmacies in the Wakefern cooperative designate a HIPAA privacy officer and HIPAA security officer. Wakefern will then provide those officers with online training on HIPAA security and privacy rules.
“This settlement ensures that ShopRite supermarket pharmacies will be trained and monitored for HIPAA compliance to avoid future conduct that places consumers at risk for privacy invasion and identity theft,” said Paul Rodríguez, acting director of the Division of Consumer Affairs.