NEWARK – Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs (the Division) today announced that Wakefern Food Corp. (Wakefern), the largest retailer-owned cooperative in the United States, and two of its associated ShopRite supermarket entities, have agreed to pay $235,000 and improve data security practices to resolve allegations that they failed to protect the personal information of more than 9,700 New Jersey residents who made pharmacy purchases at ShopRite supermarkets in Millville, NJ and Kingston, NY.
The settlement resolves allegations that Wakefern, based in Keasbey, NJ; Union Lake Supermarket, LLC (“Union Lake”), which own the Shoprite store in Millville; and ShopRite Supermarkets, Inc. (“SRS”), which owns the Shoprite store in Kingston, violated the federal Health Insurance Portability and Accountability Act (HIPAA) and the New Jersey Consumer Fraud Act (CFA) by failing to properly dispose of electronic devices used to collect the signatures and purchase information of pharmacy customers.
The devices, which Wakefern had replaced with newer technology, were discarded in dumpsters in 2016, without first destroying any protected health information that may have been stored on them, as required under HIPAA.
The data breach may have exposed names, phone numbers, birthdates, driver’s license numbers, prescription numbers, medication names, dates and times of pick-up or delivery, and customer zip codes.
"Pharmacies have a legal obligation to protect the privacy and security of the patient information they collect, and to properly dispose of that information when the time comes,” said Attorney General Grewal.
”Those who compromise consumers’ private health information face serious consequences.”
As part of the settlement, Wakefern has agreed to put in place specific data protection measures aimed at creating and maintaining a comprehensive security program that will safeguard Protected Health Information (PHI) and the Electronic Protected Health Information (ePHI) collected at ShopRite supermarkets that operate in-store pharmacies.
Those protective measures include:
appointing a chief privacy officer;
executing a Business Associate Agreement with SRS, Union Lake and each of its members that operate pharmacies within 30 days of the settlement, to ensure that these entities will appropriately safeguard protected health information;
ensuring that all the ShopRite stores with pharmacies in the Wakefern cooperative designate a HIPAA privacy officer and HIPAA security officer; and
providing online training for those officers on HIPAA security and privacy rules.
Additionally, Union Lake and SRS have agreed to provide the Division with written assurances within 30 days of the settlement that they have designated HIPAA security and privacy officers and, within 120 days of the settlement, provide the Division with assurances that those officers completed the online training offered by Wakefern.
“New Jersey consumers have a right to know that when they purchase a prescription medication at the neighborhood supermarket, their most private information will be fully protected under the law and not carelessly left to fall into the wrong hands,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs.
“This settlement ensures that ShopRite supermarket pharmacies will be trained and monitored for HIPAA compliance to avoid future conduct that place consumers at risk for privacy invasion and identity theft.”
The Division also alleged that Wakefern, SRS, and Union Lake engaged in multiple violations of the CFA by failing to properly collect and/or dispose of the electronic devices and failing to properly provide pharmacies with appropriate training on properly handling the ePHI contained on the devices.
The monetary settlement consists of $209,856.50 in civil penalties and $25,143.50 for reimbursement of attorneys’ fees and investigative costs.
Investigator Aziza Salikhova of the Division of Consumer Affairs’ Cyber Fraud Unit conducted this investigation.
Deputy Attorney General Robert Holup of the Consumer Fraud Prosecution Section and Kashif Chand, Chief of the Data Privacy & Cybersecurity Section within the Division of Law’s Affirmative Civil Enforcement Practice Group, represented the State in the matter.