No, I don't think it would be. The last four digits of a CC purchase at a pharmacy won't contain PHI. It will just say "pharmacy." But if you have some data to back that claim up, I'd love to read about it.
They probably have records for each individual (not just last four digits of CC); I don't think it's hipaa violation as long as the records don't contain personally identifying information.