HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Almost 10,000 Individuals Notified of Improper PHI Disposal Incident by ShopRite

A ShopRite pharmacy in Millville, New Jersey has discovered an electronic device used to capture the signatures of customers has been disposed of without first wiping the device of all stored protected health information.

A limited amount of protected health information was stored on the device, which included patients’ names, dates of birth, phone numbers, zip codes, prescription numbers, medication names, signatures, date and time of collection/delivery, and in some cases, details of over-the-counter medications containing pseudoephedrine (PSE).

The device was used by customers to acknowledge the store’s privacy policy and payment for prescriptions by insurance carriers. Information was also collected on sales of products containing PSE to meet legal requirements.

Individuals affected by the incident had collected prescriptions or purchased PSE products between 2007 and 2013. The device was disposed of in June 2016.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The improper disposal of the device is not understood to have resulted in PHI being compromised and no reports of PHI access or misuse have been received by ShopRite, Union Lake Supermarket, or Wakefern Food Corp.

Individuals whose PHI has been exposed have been notified by mail and advised of the steps they can take to reduce the risk of PHI misuse, such as checking their financial accounts closely and monitoring Explanation of Benefits statements for signs of misuse of their insurance information.

ShopRite has responded to the incident by updating and strengthening its policies and procedures regarding removal of PHI from computers and other electronic devices and the safe and secure disposal of electronic equipment. Pharmacy staff have also been retrained on privacy and security.

The breach report submitted to the HHS’ Office for Civil Rights indicates 9,956 individuals have been impacted by the incident.

HIPAA Rules require all electronic data to be permanently erased from electronic devices prior to disposal. All PHI must be rendered essentially unreadable and indecipherable, and a method should be used to erase data that prevents the information from being reconstructed.

In the case of ePHI this can be achieved through secure clearing and overwriting of data, purging by degaussing or exposing the device to strong magnetic fields, or destroying the device through burning, pulverization, melting, or incineration.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.