The grocery store chain Safeway has been ordered to pay a $9.87 million penalty as part of a settlement with California prosecutors related to improper disposal of confidential pharmacy records and hazardous waste in dumpsters.
The settlement resolves allegations that Safeway unlawfully disposed of customer pharmacy records containing private medical information in violation of California's Confidentiality of Medical Information Act.
Prosecutors in California also alleged Safeway unlawfully disposed of various hazardous materials over a period of longer than seven years. Those materials included over-the-counter medications, pharmaceuticals, aerosol products, ignitable liquids, batteries, electronic devices and other toxic, ignitable and corrosive materials, according to a statement from the Alameda County District Attorney's Office. That office took the lead on the civil enforcement lawsuit filed on Dec. 31 by a coalition of 43 California district attorneys and two city attorneys.
Safeway operates about 500 stores and distribution centers in California under a number of brand names, including Von's, Pavilions and Pak 'n Save, and is in the process of merging with another large grocery chain, Albertsons, which operates stores in several states under brands that include ACME, Albertsons, Jewel-Osco, Lucky, Shaws, Star Market and Super Saver.
The case against Safeway by the California district attorneys was based on a series of waste inspections of dumpsters belonging to Safeway facilities conducted by state environmental regulators and other inspectors during 2012 and 2013.
Kenneth Mifsud, Alameda County assistant district attorney, tells Information Security Media Group that the inspections were conducted at dozens of Safeway stores about once a month during an 18-month period. Investigators - who examined retail store waste taken to landfills - found violations in about 40 percent of the stores inspected. In some cases, pharmacy documents, such as store summaries listing medical and personal information on dozens of patients, were found among the waste, he says.
"The inspections revealed that Safeway was routinely and systematically sending hazardous wastes to local landfills, and was failing to take measures to protect the privacy of their pharmacy customers' confidential medical information," says the Alameda County district attorney's statement. "Upon being notified by prosecutors of the widespread issues, Safeway worked cooperatively to remedy the issue, enhance its environmental compliance program and train its employees to properly handle such waste."
The case against Safeway spotlights the importance of retail pharmacy chains, hospitals and other healthcare entities properly shredding or "making indecipherable" patient and other consumer personal information before disposing it, Mifsud says.
"There's a risk of identity theft committed by dumpster divers, and unfortunately by some employees," he says.Settlement Terms
According to settlement documents filed in the Superior Court in Alameda County on Dec. 31 - the same day the suit was filed by the district attorneys against Safeway - the $9.87 million in civil penalties and costs Safeway agreed to pay are mainly related to the environmental and unfair business claims against the company. The unfair business claims encompass the violations of California's medical confidentiality laws, Mifsud says.
Also as part of the settlement, the retailer must also "maintain and enhance, as necessary" its customer record destruction program to ensure that confidential medical information is disposed of in a manner that protects individuals' privacy. Plus, it must take several steps related to environmental compliance, including ensuring that its workforce is trained in properly disposing waste.
Court documents do not indicate how many customers' improperly dumped pharmacy records were found by inspectors. Mifsud says it's difficult to estimate the number of patients or pharmacy records that were affected by the improper disposal because the inspections only provided "a snapshot" of the some stores' activities.
Approximately 500 Safeway retail stores and distribution centers in the state must abide by the corrective action terms of the settlement, Mifsud says.
State attorneys started negotiations with Safeway in 2012, when the first violations were first discovered, he says. The suit and settlement documents were both filed in court the same day, Dec. 31, as a formality to those discussions, he explains.
In a statement to ISMG, Safeway says, "We have enhanced [our] programs and added new and supplementary training to ensure strict adherence to the law and to our policies. Safeway will continue to dedicate significant resources to these important programs."
Privacy and security attorney Kathryn Coburn, a partner at law firm Cooke Kobrick LLP, says that the Safeway case is a reminder to all organizations that having policies about protecting sensitive information of patients is not enough; they also need to have procedures for the workforce to follow and training to ensure those procedures are understood.
"Everyone I deal with has policies. But if there are no procedures, and no training, those policies aren't any good," she says.Other Disposal Cases
The Safeway settlement is not the first time enforcement actions have been taken by regulators against a retailer charged with improper disposal of sensitive medical information.
In a 2010 settlement with the U.S. Department of Health and Human Services, Rite Aid Corp. agreed to pay a $1 million fine and take corrective action after some of its stores improperly disposed of prescription information in dumpsters. Also, a $2.25 million HHS settlement was reached in a similar case against CVS Caremark in February 2009.
And retail pharmacies aren't the only organizations that have been cited by regulators for improper disposal of medical information. For example, HHS' Office for Civil Rights last June announced an $800,000 HIPAA settlement with Parkview Health Systems, an Indiana community health system, after paper medical records for 5,000 to 8,000 patients were dumped in the driveway of a physician's home.
Security and privacy attorney Stephen Wu of the law firm Silicon Valley Law Group says OCR could decide to open a HIPAA non-compliance case against Safeway based on the findings by state regulators in their suit against the retailer.
"If I were Safeway's counsel, I'd be advising the company to look for another shoe to drop," Wu says.
Mifsud says he's unaware if OCR is investigating the Safeway matter. OCR did not respond to ISMG's request for comment.