A former business owned by Crown Point Medical Tests has breached the Health Insurance Portability and Accountability Act (HIPAA) after it did not securely dispose of files containing the Protected Health Information (PHI) of at least 167 people. The victims had previously had medical tests completed through My Fast Lab.
My Fast Lab was established by Barry Walker of Cedar Lake in 2013, although the business is no longer operating. The company was known for its low cost medical testing services, which were advertised as being up to 70% less than competitor prices.
However the business closed, and the former office of the company has since been listed. Some of the contents of the facility, including patient files, have been disposed of along with regular commercial waste in a public area, in violation of HIPAA Rules. HIPAA requires that PHI is securely and permanently destroyed when it is no longer required.
The files were located by a local resident at the rear of a Crown Point strip mall. While taking out the garbage from the pizza restaurant where he employed, Adam Mitchell recognized a number of items in the dumpster which looked like they could be of value.
He saw two blood centrifuges, a digital printer and some discarded medical supplies, along with what seemed to be a number of paper files. Mitchell was aware that sensitive data could not be disposed of in publicly accessible dumpsters. He removed the files that had not been damaged beyond repair by liquid waste. Overall, 17 files were recovered.
The data stored on the files was of a highly sensitive nature, and included medical test results such as paternity tests, drug screening data and tests for sexually transmitted infections. Patients’ names, addresses and telephone numbers were listed along with Social Security numbers, Driver’s license numbers, insurance card numbers, blood types, and credit card details. Credit card expiry dates and security codes were also held in the files.
Mitchell wasn’t sure what to do next with the data so called one of the numbers on the list – that of a local businessman – who was angry to discover the disclosure of his personal data. Mitchell was subsequently advised to notify the press, and contacted a newspaper run by the Times Media Co. The matter has now been reported to the state Attorney General and the files have been gathered and secured.
It is not obvious at this stage how the data got from the disused offices to the trash dumpster. What is known is that My Fast Lab should have stopped this disclosure from occurring. The Indiana attorney general is likely to take action for the HIPAA breach.
The state AG has already used his right to take action over the illegal dumping of medical records. A fine for $12,000 was issued to Joseph Beck earlier this year for failing to securely get rid of medical records.