ShopRite Supermarkets, Inc announced to its pharmacy customers about a security breach as a result of the improper disposal of a device used for capturing customers’ signatures. ShopRite, Kingston in New York used the device from 2005 to 2015 to store personal and medical information of customers who purchased prescription drugs. Stored information included names, contact numbers, prescription numbers, pickup or delivery dates and times, zip codes, customers’ signatures and medication names. The device also stored the information of customers who bought over-the-counter drugs with pseudoephedrine. Their information, which included driver’s license numbers, zip code, info of product purchased, personal and medical information, may have been potentially exposed as well.
Wakefern Food Corp posted a substitute breach notice on its website to let customers know that the device was accidentally disposed of on February 2016. But ShopRite only announced that a data security incident took place on October 13, 2017. So far, there had been no reports received that suggest access or misuse of information. Despite that and the fact that no financial data or Social Security numbers were exposed, ShopRite still advised customers to monitor the Explanation of Benefits statements they get from their insurers and their financial accounts for signs of fraudulent use of data.
ShopRite further made corrective actions to the incident including re-evaluating its security policies in particular regarding devices that store customers’ personal information. Proper removal or deletion of data from those devices prior to disposal must be followed. All pharmacy staff also underwent privacy and security training to prevent any more security breaches of this nature.
ShopRite had already notified by mail all 12,172 customers impacted by the security breach. The Department of Health and Human Services’ Office for Civil Rights also received the breach report submitted by the company.