Wakefern Food Corp. and two of its associated ShopRite supermarkets have agreed to pay $235,000 and improve data security practices to resolve allegations that it jeopardized customers’ personal information, Attorney General Gurbir Grewal and the New Jersey Division of Consumer Affairs said Monday.
The settlement resolves allegations that Wakefern, based in Keasbey; Union Lake Supermarket LLC, which owns the ShopRite store in Millville; and ShopRite Supermarkets Inc., which owns the ShopRite store in Kingston, N.Y., violated the federal Health Insurance Portability and Accountability Act and the New Jersey Consumer Fraud Act by improperly disposing of electronic devices used to collect the signatures and purchase information of pharmacy customers.
Wakefern replaced the devices with newer technology in 2016, and the older devices were discarded in dumpsters without first destroying any protected health information that may have been stored on them as required under HIPAA.
This may have exposed names, phone numbers, birth dates, driver’s license numbers, prescription numbers, medication names, dates and times of pick-up or delivery, and customer ZIP codes.
“Pharmacies have a legal obligation to protect the privacy and security of the patient information they collect, and to properly dispose of that information when the time comes,” said Grewal in a prepared statement. “Those who compromise consumers’ private health information face serious consequences.”
Wakefern has agreed to establish data protection measures to develop and maintain a security program to safeguard protected health information and electronic protected health information collected at in-store pharmacies.
Under the measures, Wakefern is to appoint a chief privacy officer. Wakefern also must execute a business associate agreement with SRS, Union Lake and each of its pharmacy-operating members within 30 days to ensure that they will appropriately safeguard protected health information.
Additionally, all ShopRites with in-store pharmacies must designate a HIPAA privacy officer and HIPAA security officer, all of whom must be properly trained with an online training offered by Wakefern.
Under the settlement Union Lake and SRS have agreed to provide the Division with written assurances within 30 days that they have designated such officers and within 120 days provide assurances that the officers had completed training.
“New Jersey consumers have a right to know that when they purchase a prescription medication at the neighborhood supermarket, their most private information will be fully protected under the law and not carelessly left to fall into the wrong hands,” said Paul Rodríguez, acting director of the Division of Consumer Affairs, in a prepared statement. “This settlement ensures that ShopRite supermarket pharmacies will be trained and monitored for HIPAA compliance to avoid future conduct that place consumers at risk for privacy invasion and identity theft.”
According to the Division, Wakefern, SRS and Union Lake engaged in multiple violations of the New Jersey Consumer Fraud Act by failing to properly collect and/or dispose of the electronic devices and failing to properly provide pharmacies with appropriate training on properly handling the electronic personal health information contained on them.
The monetary settlement consists of $209,856.50 in civil penalties and $25,143.50 for reimbursement of attorneys’ fees and investigative costs.
In response to a question for comment, Wakefern Senior Vice President and General Counsel Allison Berger told NJBIZ that “Wakefern and its cooperative members have well-developed security measures in place to secure sensitive customer data. As the settlement recognized, Wakefern provides its members a way to properly dispose of electronic devices that include customer information. For these two particular devices, out of an abundance of caution and in accordance with law, the appropriate government agencies were notified.”
Berger said that there have been no reports that any consumer information was accessed from the devices since the incident was first reported in 2017, and also noted that the information contained on the device did not include social security numbers or credit card information.
Editor’s Note: This story was updated at 8:15 a.m. EST on Nov. 3, 2020, to include comment from Wakefern Food Corp.