On December 31, 2014, the second-largest U.S. grocery chain, Safeway, was ordered to pay a $9.87 million penalty as a part of a settlement with California prosecutors related to the improper dumping of hazardous waste, and the improper disposal of confidential pharmacy records containing protected health information in violation of California’s Confidentiality of Medical Information Act (“CIMA”).
This settlement comes after an investigation revealed that for over seven years hazardous materials, such as medicine and batteries, had been “routinely and systematically” sent to local landfills that were not equipped to receive such waste. Additionally, the investigation revealed that Safeway failed to protect confidential medical and health records of its pharmacy customers, by disposing of records containing patients’ names, phone numbers, and addresses without shredding them, putting these customers at risk of identify theft.
Under this settlement agreement, while Safeway admits to no wrongdoing, it will pay (1) a $6.72 million civil penalty, (2) $2 million for supplemental environmental projects, and (3) $1.15 million in attorneys’ fees and costs. In addition, pursuant to the agreement, Safeway must maintain and enhance its customer record disposal program to ensure that customer medical information is disposed of in a manner that preserves the customer’s privacy and complies with CIMA.
“Today’s settlement marks a victory for our state’s environment as well as the security and privacy of confidential patient information throughout California,” said Alameda County District Attorney Nancy O’Malley. Another Alameda County Assistant District Attorney, Kenneth Misfud, says the case against Safeway spotlights the importance of healthcare entities, such as pharmacy chains and hospitals, properly shredding, or otherwise “making indecipherable,” patient and other consumer personal information prior to disposal.
However, despite the settlement, customers whose personal information was improperly disposed of will have a difficult time suing for a “pure” loss of privacy due Safeway’s violation of CIMA. In Sutter Health v. Superior Court, a California Court of Appeals held that confidential information covered by CIMA must be “actually viewed” for the statutory penalty provisions of the law to apply. So, parties bringing claims under CIMA will now have to allege, and ultimately prove, that their confidential information (1) changed possession in an unauthorized manner, and that (2) it was actually viewed (or presumably, used) by an unauthorized party.
The takeaway from Safeway’s settlement is to ensure that your customers are not at risk of data breaches and identity theft, and protect your company from facing the million dollar consequences that can result from doing so. If you have any questions about complying with privacy and health information laws, please feel free to contact one of our certified privacy attorneys at OlenderFeldman LLP.