HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Personal Information of New York Pharmacy Customers Exposed in Improper Disposal Incident

ShopRite Supermarkets, Inc., has announced that some of its pharmacy customers have been impacted by a security breach involving the improper disposal of a device used to capture customers’ signatures.

The device was used at the ShopRite, Kingston, NY location between 2005 and 2015 and stored personal and medical information. Customers who visited the pharmacy and had prescriptions filled between 2005 and 2015 have potentially been impacted by the incident. For those customers, the device stored information such as names, phone numbers, prescription numbers, dates and times of pickup or delivery, zip codes, medication names, and customers’ signatures.

The device was also used for customers who bought an over-the-counter product containing pseudoephedrine. Those customers have had their driver’s license number, zip code, details of the product purchased, and personal and medical information exposed.

In the substitute breach notice posted on the Wakefern Food Corp., website, customers have been advised that the device was disposed of by accident in February 2016, although ShopRite only confirmed that a data security incident had occurred on October 13, 2017.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

ShopRight has not received any reports to suggest the information on the device has been accessed or misused in any way, although customers have been advised to monitor their Explanation of Benefits statements from their insurers for any sign of fraudulent use of their data. Customers have also been advised to monitor their financial accounts for any sign of fraud, although ShopRite does point out that their Social Security numbers and financial data were not exposed at any point.

ShopRite has responded to the incident by reviewing its security policies in relation to devices that store personal information and the removal and secure deletion of data from those devices prior to disposal. Privacy and security training has also been provided to all pharmacy staff to help prevent further security breaches of this nature.

All customers impacted by the security breach have now been notified by mail. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 12,172 individuals have been impacted.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.