Wakefern Food Corporation is going to pay $235,000 in civil financial fines to settle accusations of violations of federal and state regulations associated with a data breach that involve the protected health information (PHI) of 9,700 clients of two ShopRite supermarkets located in Kingston, New York and Millville, New Jersey. Besides paying the financial penalties, the company is required to make improvements to its data security practices.
Wakefern Food Corporation is the holding company of ShopRite Supermarkets, Inc. and Union Lake Supermarket, LLC. ShopRite Supermarkets, Inc. is the owner of the ShopRite store in Kingston, NY while Union Lake Supermarket, LLC is the owner of the Millville ShopRite store.
In 2016, Wakefern changed the electronic devices employed to collect consumer signatures and purchase data at the two stores. The old units were not disposed of properly. They were put in regular dumpsters without first wrecking the devices or deleting the stored information to make sure sensitive data are irrecoverable. The devices stored the PHI of 9,700 consumers of the two stores such as names, contact data, birth dates, zip codes, driver’s license numbers, prescription types, prescription numbers, and dates of pickup and delivery.
The New Jersey Division of Consumer Affairs started an investigation after getting reports concerning the inappropriate disposal of ePHI. It confirmed that the way the devices were disposed of violated the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule as well as the state’s fraud act. Employees at the stores did not receive proper training on how to handle and dispose of sensitive data.
According to New Jersey Attorney General Gurbir S. Grewal, pharmacies have the legal obligation to secure the privacy of collected patient data and to correctly dispose of that data when necessary. There are serious consequences for those who compromise the private health data of consumers.
Wakefern is going to pay $209,856.50 as civil penalty and is going to reimburse $25,143.50 of attorneys’ fees and investigative expenses. Further, it needs to implement protective procedures to make sure to avoid future data branches. The measures consist of
- designating a chief privacy officer
- signing a business associate agreement with ShopRite Supermarkets, Union Lake, and every member that run pharmacies inside the supermarkets
- implementing proper measures to secure PHI
Every ShopRite store that operates a pharmacy must designate a HIPAA privacy officer and HIPAA security officer to supervise compliance and they must undergo online training about their privacy and security functions.
Acting Director of the Division of Consumer Affairs Paul R. Rodríguez stated that consumers in New Jersey who buy prescription medicine at the neighborhood supermarket should know that their most private data are fully protected by law and must not be carelessly handled. The settlement of this case makes sure that ShopRite supermarket pharmacies will undergo training and monitoring for HIPAA compliance to prevent future incidents that put consumers in danger of identity theft and privacy invasion.