10,000 ShopRite Clients Have PHI Exposed to Improper Destruction of Device

A Millville, New Jersey based ShopRite pharmacy has reported that an electronic device used to save the signatures of people has been destroyed without first deleting all stored protected health information from the device.

A restricted amount of protected health information was held on the computing device, including patients’ names, birth dates, contact details, zip codes, prescription numbers, medication names, signatures, collection/delivery times, and in some scenarios, details of oshop available medications containing pseudoephedrine (PSE).

The device in question was used by people to acknowledge the store’s privacy policy and payment for required prescriptions by insurance carriers. Information was also collated on sales of medications containing PSE to coply with legal requirements.

Those affected by the incident had purchased prescriptions or PSE products from 2007 and 2013. The device was thrown out in June 2016.

The improper disposal of the device is not believed to have resulted in PHI being compromised and no official reports of PHI access or misuse have been recorded by ShopRite, Union Lake Supermarket, or Wakefern Food Corp.

Individuals whose private health information has been compromised have been contacted by mail and advised of the actions they can take to reduce the danger of PHI misuse, such as reviewing their financial transactions closely and monitoring Explanation of Benefits statements for signs of inappropriate use of their insurance information.

Since the incident ShopRite has updated and enhanced its policies and procedures regarding deleting PHI from computers and other electronic devices and the safe and secure disposal of electronic equipment. Pharmacy workers have also been gien additional training on privacy and security.

The breach report sent to the HHS’ Office for Civil Rights shows 9,956 people have been affected by the breach incident.

HIPAA Regulations require all electronic data to be deleted in all manners from electronic devices during disposal. All PHI must be made unusable and indecipherable, and a method should be employed to erase data that stops the information from being reconstructed.

This can be achieved, with ePHI, through safe clearing and overwriting of data, purging by degaussing or holding the device to strong magnets, or destroying the device by burning or pulverization.

Author: Maria Perez