State Slaps Supermarket Co-Op with HIPAA SettlementNew Jersey Case is Latest Involving a State Taking Action Over a Health Data Breach
New Jersey regulators have slapped a supermarket cooperative with a $235,000 settlement for violations of HIPAA and state consumer fraud laws in a case involving improper disposal of electronic devices used to collect customers' signatures and pharmacy information.
The settlement is the latest involving a state attorney general taking legal action against an entity for violations of HIPAA and other state regulations in the wake of a security or privacy incident involving health information.
The HITECH Act of 2009 gave state attorneys general the authority to bring civil actions for violations of the HIPAA privacy and security rules.
In a statement Monday, New Jersey Attorney General Gurbir Grewal and the state's consumer affairs division said Keasbey, N.J.-based Wakefern Food Corp., the largest retailer-owned cooperative in the U.S., and two of its associated ShopRite supermarket entities agreed to pay a financial settlement and take corrective actions in the aftermath of an incident involving improperly discarding devices containing personal information of more than 9,700 New Jersey residents.
The settlement resolves allegations that Wakefern and two of its affiliates - Union Lake Supermarket LLC, which owns a ShopRite store in Millville, N.J, and ShopRite Supermarkets Inc., which owns a ShopRite store in Kingston, N.Y., - violated HIPAA and the New Jersey Consumer Fraud Act in 2016 by failing to properly dispose of electronic devices used to collect signatures and purchase information of pharmacy customers, the attorney general says.
The devices, which Wakefern had replaced with newer technology, were discarded in dumpsters in 2016 without first destroying any protected health information that may have been stored on them, as required under HIPAA, the state attorney general's office said.
Exposed customer information included names, phone numbers, birthdates, driver's license numbers, prescription numbers, medication names, dates and times of pickup or delivery, and customer ZIP codes.
"Pharmacies have a legal obligation to protect the privacy and security of the patient information they collect, and to properly dispose of that information when the time comes," Grewal said in the statement. "Those who compromise consumers' private health information face serious consequences."
Under the settlement, Wakefern also has agreed to put in place data protection measures aimed at creating and maintaining a comprehensive security program to better safeguard PHI collected at ShopRite supermarkets that operate in-store pharmacies. Those steps include:
- Appointing a chief privacy officer;
- Executing business associate agreements with ShopRite Supermarkets, Union Lake and each of its members that operate pharmacies;
- Ensuring that all the ShopRite stores with pharmacies in the Wakefern cooperative designate a HIPAA privacy officer and HIPAA security officer;
- Providing online training for those officers on HIPAA security and privacy rules.
In a statement provided to Information Security Media Group, Allison Berger, Wakefern senior vice president and general counsel, says the company and its cooperative members have "well-developed security measures" in place to secure sensitive customer data.
"Wakefern provides its members a way to properly dispose of electronic devices that include customer information," she says.
"For these two particular devices, out of an abundance of caution and in accordance with law, the appropriate government agencies were notified. There have been no reports that any consumer information was accessed from the devices since the incident was first reported in 2017, and it should be noted that the information contained on the device did not include Social Security numbers or credit card information."
The New Jersey attorney general's settlement with Wakefern and the two ShopRite stores is not the first enforcement action by state or federal regulators in a case involving improper disposal of PHI by a retailer.
In 2015, the grocery store chain Safeway was ordered to pay a $9.87 million penalty as part of a settlement with California prosecutors related to improper disposal of confidential pharmacy records and hazardous waste in dumpsters.
In 2010, pharmacy chain Rite Aid Corp. agreed to pay a $1 million fine and take corrective action to settle federal charges that it violated the HIPAA privacy rule and the Federal Trade Commission Act when some of its stores improperly disposed of prescription information in dumpsters.
But it is not just retailers that have been hit with enforcement actions involving improper disposal of health information.
In 2018, the U.S. Department of Health and Human Services signed a $100,000 settlement with Filefax, a now-defunct Illinois-based medical records storage company. At the center of the case was a 2015 breach involving a Filefax dumpster discovered filled with medical records of about 2,000 patients that should have been shredded or destroyed before disposal.
"One of the biggest challenges with proper disposal of PHI is the human element," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"It is relatively easy to create a policy requiring appropriate destruction. But getting workforce members to follow the policy is far more challenging, as people gravitate towards what is easiest," he notes.
As for the New Jersey settlement with Wakefern and ShopRite, "it is somewhat surprising to read that in 2020 a large pharmacy chain such as this is still falling short on basic compliance steps," especially in light of the many previous cases involving improper disposal of PHI, contends regulatory attorney Helen Oscislawski of the law firm Attorneys at Oscislawski LLC.
With every settlement agreement involving PHI breaches, "covered entities and business associates really have no excuse not to glean a new 'lesson learned' from such cases and ensure that they do not repeat such shortcomings," she notes.
All organizations that create and store health information need to have policies and procedures in place for the secure disposal of records, storage media and hardware to prevent confidential and sensitive data from disclosure, says privacy attorney David Holtzman of consulting firm HITprivacy LLC.
"Before discarding your computer or portable storage devices, you need to be sure that the device is destroyed or that data has been erased, or 'wiped.' Merely erasing information or disposing of electronic media often leads to a false sense of data security," he says.
To help avoid PHI disposal mishaps, "entities should consider whether they are doing sufficient data mapping, understanding the full lifecycle of their protected health information, including destruction of the information," Greene suggests. "This is ideally part of the risk analysis process, with failure to properly destroy PHI a risk that is evaluated."
The Wakefern case is also not the first HIPAA-related settlement involving the New Jersey's attorney general's office. In 2018, the attorneys general of New Jersey and New York each slapped health insurer EmblemHealth with state financial penalties in connection with a 2016 breach that exposed Social Security numbers on mailings to tens of thousands of plan members in both states.
Some experts says it is critical that healthcare sector entities take note of the Wakefern settlement and other similar state attorney general actions involving health data security and privacy breaches.
New Jersey's settlement with Wakefern "reflects an expanding trend of the state attorneys general investigating compliance with privacy and security rules," says privacy attorney Kirk Nahra of the law firm WilmerHale.
"The facts of this case - as described in the public materials - reflect a failure to engage in appropriate techniques to clean electronic devices, which is a known issue that companies should be aware of across the board," he notes.
"Whether it is viewed as a HIPAA violation or a broader violation of other state-based consumer protection principles is almost irrelevant to the investigation - it is not a best practice. Companies should be cognizant of their disposal obligations - under all applicable privacy and security provisions, for electronic and paper information."
In the bigger picture, Nahra notes, "companies should make sure to pay attention to these risks of state AG investigations and should handle them carefully when they arise."
Meanwhile, Holtzman notes that there has been "a marked uptick" in states adopting new standards for data protection and breach reporting.
"Many of these new laws require organizations to protect health information that would not be protected by HIPAA and enforce these requirements on data about that state's residents when held by any entity, anywhere," he says.
"State attorneys general will continue to aggressively bring enforcement actions under HIPAA and state law requirements to protect consumer information from unauthorized disclosure," he notes.
"In some cases that involve breaches that impact the citizens of a number of states, attorneys general are banding together to pursue remedies for the benefit of their states' citizens."
For instance, in September, the attorneys general of 41 states, plus Washington, D.C., slapped health insurer Anthem Inc. with a $39.5 million settlement in the wake of a 2014 cyberattack that affected nearly 79 million individuals.
The attorney general of California in September also signed a separate but similar $8.7 million settlement with Anthem for the same incident.