Dumping of Medical Records Investigated by Attorney General’s Office

by | Jun 19, 2016

Recently an officer from the Indianapolis Metropolitan Police Department (IMPD) found a number of medical records in a recycling dumpster, accessible to the public, in Broad Ripple Park, Indianapolis.

A quantity of confidential documents were located in file folders in the dumpster which had been mixed up with newspapers and other paper and cardboard.

IMPD recovered the files and folders from the recycling dumpster. However, there is no way of knowing whether any documents had been removed by members of the public. It is also not transparent whether files had been dumped on a just one occasion, or whether material had been disposed of over an extended duration of time.

The Indiana Attorney General’s Office is now involved and attempts have been made to contact recycling and waste disposal companies who possibly may have come into contact with dumped medical data. If any further files and folders are discovered the attorney general’s office will arrange for the files to be collected and secured.

According to the police report, the files located contain highly sensitive data including patient names, addresses, health insurance information, and Social Security numbers. An inquiry is being conducted to determine who the files belong to, and how they came to be in the dumpster in Broad Ripple Park.

HIPAA requires all medical records to be disposed of safely when they are no longer required. Covered bodies and their business associates must ensure that paper files are destroyed and rendered no longer usable, unreadable, and indecipherable. In addition to this State laws in Indiana require personally identifiable information to be disposed of securely.

Covered bodies found to be guilty of improperly disposing of medical records could be hit with heavy fines and the Department of Health and Human Services’ Office for Civil Rights has, on a prior occasion, taken action against HIPAA-covered bodies that have been discovered to have improperly disposed of PHI. In June 2014, OCR reached a $800,000 settlement with Parkview Health System – which serves subscribers in Northern Indiana – after the company improperly disposed of medical information.

The Indiana attorney general can also take action against companies and individuals who do not dispose of confidential information securely. Indiana is one of a handful of states that has previously used the right to issue financial penalties for HIPAA violations. In early 2015, a fine of $12,000 was issued to former Kokomo dentist Joseph Beck for illegally dumping the files of almost 7,000 patients.

The Attorney General’s office is reviewing the breach and will issue further updates on the incident when further information is found. Indiana’s Disclosure of Security Breach law requires people to be notified of any breaches of personally identifiable information. Affected individuals will be advised of the breach in the coming weeks.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy