ShopRite Failed to Dispose of Electronic Device Properly Exposing 9,956 PHI

An electronic device used by ShopRite Pharmacy in Millville, New Jersey for capturing customer signature was disposed of in June 2016 without deleting all the protected health information (PHI) stored in it. The device contained only a limited amount of PHI including the patients’ names, birth dates, phone numbers, zip codes, medication names, prescription numbers, signatures, collection or delivery time and date. Sometimes, the device also recorded details of over-the-counter medications with pseudoephedrine (PSE).

Because of legal requirements, ShopRite was asking customers to use the electronic device to acknowledge the pharmacy’s privacy policy and payment for the medications by insurance providers. The device is also used to collect sales details of products with PSE.  

Not all customers were affected by the data breach. Only those who had collected prescriptions or bought PSE products from 2007 to 2013 were affected.  When the device was disposed of in June 2016, it wasn’t certain that the action resulted to the compromise of PHI. Besides, Shoprite, Union Lake Supermarket and Wakefern Food Corporation did not receive any report of PHI access or misuse.

ShopRite already sent the notification letters by mail to all customers affected by the data breach. The notification specifically recommended some advice on what needs to be done to lower the risk of misuse of PHI. Customers were asked to check all their financial accounts and monitor Explanation of Benefits statements to know if anyone has misused their insurance information.

ShopRite also responded to this incident with a corrective action plan. They reviewed and updated their policies and procedures regarding deletion of PHI from electronic devices such as computers and portable storage devices that need to be disposed of. They also retrained their pharmacy staff on the awareness of HIPAA security and privacy rules.

HHS’ Office for Civil Rights already received the breach report that indicated 9,956 customers were affected by the data breach. The HIPAA Rules require covered entities to permanently erase all ePHI in devices before disposing of them. Deleted PHI must be unreadable, indecipherable and unrecoverable.  Different methods of data deletion may be used including overwriting of ePHI, purging by degaussing, exposing to strong magnetic fields, burning, melting, pulverization or incineration.