AG Grewal Announces ShopRite, Wakefern to Pay $235,000 and Improve Data Security in Settlement over Privacy Lapses at Supermarket Pharmacies

Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs (the Division) today announced that Wakefern Food Corp. (Wakefern), the largest retailer-owned cooperative in the United States, and two of its associated ShopRite supermarket entities, have agreed to pay $235,000 and improve data security practices to resolve allegations that they failed to protect the personal information of more than 9,700 New Jersey residents who made pharmacy purchases at ShopRite supermarkets in Millville, NJ and Kingston, NY.

The settlement resolves allegations that Wakefern, based in Keasbey, NJ; Union Lake Supermarket, LLC (“Union Lake”), which own the Shoprite store in Millville; and ShopRite Supermarkets, Inc. (“SRS”), which owns the Shoprite store in Kingston, violated the federal Health Insurance Portability and Accountability Act (HIPAA) and the New Jersey Consumer Fraud Act (CFA) by failing to properly dispose of electronic devices used to collect the signatures and purchase information of pharmacy customers.

The devices, which Wakefern had replaced with newer technology, were discarded in dumpsters in 2016, without first destroying any protected health information that may have been stored on them, as required under HIPAA. The data breach may have exposed names, phone numbers, birthdates, driver’s license numbers, prescription numbers, medication names, dates and times of pick-up or delivery, and customer zip codes.

“Pharmacies have a legal obligation to protect the privacy and security of the patient information they collect, and to properly dispose of that information when the time comes,” said Attorney General Grewal. “Those who compromise consumers’ private health information face serious consequences.”

As part of the settlement, Wakefern has agreed to put in place specific data protection measures aimed at creating and maintaining a comprehensive security program that will safeguard Protected Health Information (PHI) and the Electronic Protected Health Information (ePHI) collected at ShopRite supermarkets that operate in-store pharmacies.

Those protective measures include:

  • appointing a chief privacy officer;
  • executing a Business Associate Agreement with SRS, Union Lake and each of its members that operate pharmacies within 30 days of the settlement, to ensure that these entities will appropriately safeguard protected health information;
  • ensuring that all the ShopRite stores with pharmacies in the Wakefern cooperative designate a HIPAA privacy officer and HIPAA security officer; and
  • providing online training for those officers on HIPAA security and privacy rules.

Additionally, Union Lake and SRS have agreed to provide the Division with written assurances within 30 days of the settlement that they have designated HIPAA security and privacy officers and, within 120 days of the settlement, provide the Division with assurances that those officers completed the online training offered by Wakefern.

“New Jersey consumers have a right to know that when they purchase a prescription medication at the neighborhood supermarket, their most private information will be fully protected under the law and not carelessly left to fall into the wrong hands,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs. “This settlement ensures that ShopRite supermarket pharmacies will be trained and monitored for HIPAA compliance to avoid future conduct that place consumers at risk for privacy invasion and identity theft.”

The Division also alleged that Wakefern, SRS, and Union Lake engaged in multiple violations of the CFA by failing to properly collect and/or dispose of the electronic devices and failing to properly provide pharmacies with appropriate training on properly handling the ePHI contained on the devices.

The monetary settlement consists of $209,856.50 in civil penalties and $25,143.50 for reimbursement of attorneys’ fees and investigative costs.

This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at [email protected].

Stay up to date with our news alerts by following us on Twitter, Instagram and Facebook.

**Click here to join over 20,000 receiving our Whatsapp Status updates!**

**Click here to join the official TLS WhatsApp Community!**

Got a news tip? Email us at [email protected], Text 415-857-2667, or WhatsApp 609-661-8668.

1 COMMENT

  1. According to HIPAA all those bullet points are required by Federal Law. Don’t get fined or closed down. Make sure you know what you are doing. They hold regular unannounced audits and inspections.

Comments are closed.