New Jersey Attorney General (AG) Gurbir S. Grewal announced on November 2, 2020, that his office has settled with ShopRite’s parent company, Wakefern Food Corp. (Wakefern) and two of its supermarket entities for $235,000 for a data breach that occurred in 2016.

According to the press release, the AG alleged that Wakefern violated HIPAA and the New Jersey Consumer Fraud Act (CFA) by “failing to properly dispose of electronic devices used to collect the signatures and purchase information of pharmacy customers” in its Kingston and Millville ShopRite stores.

The AG alleged that the electronic devices were discarded in dumpsters in 2016 without wiping them when newer technology was adopted. The incident “may have exposed names, phone numbers, birthdates, driver’s license numbers, prescription numbers, medication names, dates and times of pick-up or delivery, and customer zip codes.”

In addition to the fine, Wakefern is required to appoint a chief privacy officer, execute Business Associate Agreements with the entities that are operating its pharmacies, ensure that all ShopRite stores with pharmacies designate a HIPAA privacy officer and a HIPAA security officer, and provide online training for those officers on the HIPAA privacy and security rules.