Wakefern Food Corp., the largest retailer-owned cooperative in the United States, and two of its associated ShopRite supermarket entities have agreed to pay $235,000 in penalties and improve security practices for their customers’ personal data.
According to the New Jersey Attorney General Office, the settlement resolves allegations that Wakefern, based in Keasbey, NJ; Union Lake Supermarket, LLC., which own the Shoprite store in Millville; and ShopRite Supermarkets, Inc., which owns the Shoprite store in Kingston, violated the federal Health Insurance Portability and Accountability Act (HIPAA) and the New Jersey Consumer Fraud Act (CFA) by failing to properly dispose of electronic devices used to collect the signatures and purchase information of pharmacy customers.
Wakefern and ShopRite failed to protect the personal information of more than 9,700 New Jersey residents who made pharmacy purchases at ShopRite supermarkets in Millville, New Jersey and Kingston, New York, Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs said in a press release.
The devices, which Wakefern had replaced with newer technology, were discarded in dumpsters in 2016, without first destroying any protected health information that may have been stored on them, as required under HIPAA. The data breach may have exposed names, phone numbers, birthdates, driver’s license numbers, prescription numbers, medication names, dates and times of pick-up or delivery, and customer zip codes.
“Pharmacies have a legal obligation to protect the privacy and security of the patient information they collect, and to properly dispose of that information when the time comes,” said Attorney General Grewal. “Those who compromise consumers’ private health information face serious consequences.”
As part of the settlement, Wakefern has agreed to put in place specific data protection measures aimed at creating and maintaining a comprehensive security program that will safeguard Protected Health Information (PHI) and the Electronic Protected Health Information (ePHI) collected at ShopRite supermarkets that operate in-store pharmacies.
Additionally, Union Lake and SRS have agreed to provide the Division with written assurances within 30 days of the settlement that they have designated HIPAA security and privacy officers and, within 120 days of the settlement, provide the Division with assurances that those officers completed the online training offered by Wakefern.
“New Jersey consumers have a right to know that when they purchase a prescription medication at the neighborhood supermarket, their most private information will be fully protected under the law and not carelessly left to fall into the wrong hands,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs. “This settlement ensures that ShopRite supermarket pharmacies will be trained and monitored for HIPAA compliance to avoid future conduct that places consumers at risk for privacy invasion and identity theft.”
The Division also alleged that Wakefern, SRS, and Union Lake engaged in multiple violations of the CFA by failing to properly collect and/or dispose of the electronic devices and failing to properly provide pharmacies with appropriate training on properly handling the ePHI contained on the devices.
The monetary settlement consists of $209,856.50 in civil penalties and $25,143.50 for reimbursement of attorneys’ fees and investigative costs, said the New Jersey Attorney General Office. Investigator Aziza Salikhova of the Division of Consumer Affairs’ Cyber Fraud Unit conducted this investigation.