Vitalii Gulenok/istock via Getty

Wakefern, ShopRite Pay New Jersey $235K for Fraud Act, HIPAA Violations

New Jersey reached a settlement with Wakefern Food Corp and two associated ShopRite supermarkets for $235,000 to resolve violations of HIPAA and the NJ Consumer Fraud Act.

The New Jersey Division of Consumer Affairs and NJ Attorney General Gurbir Grewal announced a settlement with Wakefern Food Corp and two associated ShopRite supermarkets to resolve violations of the NJ Consumer Fraud Act and HIPAA, stemming from improper records disposal.

The monetary settlement includes $209,856.50 in civil penalties, along with $25,143.50 to reimburse attorneys’ fees and investigative costs. 

In 2016, reports found ShopRite’s Millville and Kingston locations failed to properly dispose of electronic devices used to collect signatures and purchase information of more than 9,700 pharmacy customers. 

After replacing the devices in question with newer technology, Wakefern disposed of the tech in dumpsters without first destroying the data stored on them as required by the HIPAA Privacy rule. The devices contained individuals’ names, contact details, driver’s license numbers, birthdates, prescription numbers and type, dates and times of pickup or delivery, and customer zip codes. 

An investigation into the incident was led by Aziza Salikhova of the Division of Consumer Affairs’ Cyber Fraud Unit. The division alleged that Wakefern, Union Lake, and ShopRite also engaged in multiple violations of the state’s fraud act by failing to properly collect and or dispose of the electronic devices, as well as failing to properly provide appropriate training on how to properly handle the ePHI on the devices in question. 

“Pharmacies have a legal obligation to protect the privacy and security of the patient information they collect, and to properly dispose of that information when the time comes,” said Grewal, in a statement. “Those who compromise consumers’ private health information face serious consequences.” 

In addition to the monetary fine, Wakefern is required to implement specific security measures to both create and maintain a comprehensive security program to safeguard protected health information and ePHI at ShopRite pharmacies. 

Those measures include appointing a chief privacy officer, as well as entering into a business associate agreement with ShopRite, Union Lake, and its members that operate pharmacies within 30 days of the settlement to ensure appropriate security measures are applied at these sites. 

Under HIPAA, covered entities are indeed required to enter into business associate agreements their partners to maintain the security of PHI and to comply with the privacy and security rule. Business associates are defined as an entity or individual that performs activities or functions on behalf of a covered entity and requires the business associate to access PHI. 

Business associate agreements must detail the security elements as specified by HIPAA, and the contract must “describe the permitted and required uses of PHI by the business associate; provide that the business associate will not use or further disclose the PHI other than as permitted or required by the contract or as required by law; and require the business associate to use appropriate safeguards to prevent a use or disclosure of the PHI other than as provided for by the contract.”  

“Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement,” HHS explained. 

The NJ settlement will also require Wakefern to ensure its ShopRite pharmacies designate a HIPAA privacy officer and HIPAA security officer, in addition to providing those officers with online training on the HIPAA Privacy and Security rules. 

Union Lake and ShopRite also agreed to these provisions with written assurances that they will instate privacy and security officers within 30 days of the settlement and provide training within 120 days. 

“New Jersey consumers have a right to know that when they purchase a prescription medication at the neighborhood supermarket, their most private information will be fully protected under the law and not carelessly left to fall into the wrong hands,” Paul Rodríguez, acting director of the Division of Consumer Affairs, said in a statement. 

“This settlement ensures that ShopRite supermarket pharmacies will be trained and monitored for HIPAA compliance to avoid future conduct that place consumers at risk for privacy invasion and identity theft,” he added. 

Notably, the Wakefern incidents are not listed as incidents under investigation with the Office for Civil Rights.In recent years, many states have launched investigations into healthcare data breaches to ensure consumer data is properly protected by companies, even those that may not always fall under HIPAA rules.

Most recently, Community Health Systems (CHS) in Tennessee reached a $5 million settlement with 28 states to resolve an investigation into its 2014 healthcare data breach, which affected 6.1 million patients. The settlement was announced just two weeks after CHS reached a similar agreement with OCR.

Next Steps

Dig Deeper on HIPAA compliance and regulation