ShopRite Data Breach Results in $235,000 HIPAA Penalty for Wakefern Food Corporation

New Jersey Attorney General General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs have announced a settlement has been reached with Wakefern Food Corporation to settle allegations of violations of the Health Insurance Portability and Accountability Act (HIPAA) and multiple violations of the state fraud act.

An investigation was launched by the New Jersey Division of Consumer Affairs after reports were received in 2016 about the improper disposal of electronic devices that contained the personal and protected health information of 9,700 customers of pharmacies in two ShopRite supermarkets.

Wakefern Food Corporation is the parent company of Union Lake Supermarket, LLC which owns a ShopRite supermarket in Millville New Jersey and ShopRite Supermarkets, Inc., which owns a ShopRite store in Kingston, NY.  Wakefern Food Corporation replaced two electronic devices used to record customer information and signatures at the pharmacies in those two stores and disposed of the old devices in regular dumpsters.

HIPAA Rules require all electronic protected health information to be permanently and securely deleted prior to disposal or for devices that contain ePHI to be destroyed to render any stored data unrecoverable. No efforts were made to destroy data prior to disposal.

The devices contained a range of sensitive data including names, contact information, zip codes, driver’s license numbers, dates of birth, prescription numbers, prescription types, pickup and delivery dates which could potentially have been accessed by unauthorized individuals.

The investigation by the New Jersey Division of Consumer Affairs determined appropriate training had not been provided to staff at the pharmacies on HIPAA regulations and the protection of customer data, there were violations of the HIPAA Privacy Rule including the lack of business associate agreements with the supermarkets and pharmacies, and several violations of state laws related to the improper disposal of sensitive data.

“Pharmacies have a legal obligation to protect the privacy and security of the patient information they collect, and to properly dispose of that information when the time comes,” said New Jersey Attorney General Gurbir S. Grewal. “Those who compromise consumers’ private health information face serious consequences.”

The settlement requires Wakefern Food Corporation to pay $209,856.50 in civil penalties and $25,143.50 as reimbursement for investigation costs and attorney’s fees, in addition to implementing a range of measures to ensure protected health information is safeguarded and to comply with the requirements of federal and state laws.

Those measures include Wakefern appointing a chief privacy officer and ensuring that ShopRite Supermarkets, Union Lake, and members who operate the pharmacies in the supermarkets sign business associate agreements and implement measures to protect customer data and policies and procedures to comply with the HIPAA Rules. Each of the pharmacies must appoint a HIPAA privacy and security officer and online training must be provided to those individuals on their job responsibilities.

“New Jersey consumers have a right to know that when they purchase a prescription medication at the neighborhood supermarket, their most private information will be fully protected under the law and not carelessly left to fall into the wrong hands,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs. “This settlement ensures that ShopRite supermarket pharmacies will be trained and monitored for HIPAA compliance to avoid future conduct that place consumers at risk for privacy invasion and identity theft.”