Almost 10,000 Individuals Notified of Improper PHI Disposal Incident by ShopRite

Share this article on:

A ShopRite pharmacy in Millville, New Jersey has discovered an electronic device used to capture the signatures of customers has been disposed of without first wiping the device of all stored protected health information.

A limited amount of protected health information was stored on the device, which included patients’ names, dates of birth, phone numbers, zip codes, prescription numbers, medication names, signatures, date and time of collection/delivery, and in some cases, details of over-the-counter medications containing pseudoephedrine (PSE).

The device was used by customers to acknowledge the store’s privacy policy and payment for prescriptions by insurance carriers. Information was also collected on sales of products containing PSE to meet legal requirements.

Individuals affected by the incident had collected prescriptions or purchased PSE products between 2007 and 2013. The device was disposed of in June 2016.

The improper disposal of the device is not understood to have resulted in PHI being compromised and no reports of PHI access or misuse have been received by ShopRite, Union Lake Supermarket, or Wakefern Food Corp.

Individuals whose PHI has been exposed have been notified by mail and advised of the steps they can take to reduce the risk of PHI misuse, such as checking their financial accounts closely and monitoring Explanation of Benefits statements for signs of misuse of their insurance information.

ShopRite has responded to the incident by updating and strengthening its policies and procedures regarding removal of PHI from computers and other electronic devices and the safe and secure disposal of electronic equipment. Pharmacy staff have also been retrained on privacy and security.

The breach report submitted to the HHS’ Office for Civil Rights indicates 9,956 individuals have been impacted by the incident.

HIPAA Rules require all electronic data to be permanently erased from electronic devices prior to disposal. All PHI must be rendered essentially unreadable and indecipherable, and a method should be used to erase data that prevents the information from being reconstructed.

In the case of ePHI this can be achieved through secure clearing and overwriting of data, purging by degaussing or exposing the device to strong magnetic fields, or destroying the device through burning, pulverization, melting, or incineration.

Author: HIPAA Journal

Share This Post On