Improper PHI Disposal Leads Allina Health System to Alert 6,000

by | Dec 30, 2015

The Allina Health System Minneapolis Isles clinic has notified around 6,000 patients of a breach of their Protected Health Information (PHI).

The clinic, located at 2800 Hennepin Avenue, found instances of improper PHI disposal had occurred after documents including sensitive information were found in regular garbage. HIPAA rules dictate that all documents containing PHI to be rendered unreadable, indecipherable, and incapable of being reconstructed prior to being destroyed.

The HIPAA breach is not understood to have resulted in any patient health data being viewed by unauthorized people, although the clinic is unable to guarantee that to be the case.

According to a release by Allina Spokesman, David Kanihan, the incident is thought only to be a “technical breach of unsecured protected health information.” Because a danger does exist, out of an abundance of caution Allina Health System will be offering all affected patients a year’s credit for monitoring services.

The data, possibly exposed, included names of patients, their mailing addresses, dates of birth, health plan details, medical record numbers, the last four digits of Social Security numbers, and some clinical information. However, since some health plans use members’ full social security numbers as their health insurance IDs, a limited number of patients have possibly had their full SSN exposed.

This improper disposal of PHI was found on October 27, 2015. While hospital policies required documents containing PHI to be got rid of in secure shredding bins, some had been placed in containers that were emptied into regular trash dumpsters. Those dumpsters were private and only utilized by the clinic and were not accessible to the public. The dumpsters were placed in a locked garage within the clinic grounds. Trash was gathered weekly and taken to a garbage processing facility. The trash was subsequently sent to be burned.

An investigation showed that the improper dumping of PHI potentially dated back to April 6, 2015, although that only happened “in limited circumstances.” It is unclear how many patients had their data exposed by the breach, as it was impossible to deduce which patients’ information were listed on the improperly of documents.

In order to ensure that all patients affected by the improper PHI dumping were issued a breach notification letter, Allina Health System took the decision to send letters to all patients who visited the clinic between April 6, and October 27. It is probable that only a small amount of those 6,000 patients had their PHI exposed.

The only patients that would have been affected are those who had their PHI printed on documents. This was not something that occurred with every patient according to Kanihan. Most members of staff were also conscious of the rules covering PHI disposal and would have placed the documents in the correct containers, further minimizing the number of patients likely to have been affected.

To lessen the risk of further incidents such as this occurring in the future, Allina Health System has replaced its trash bins with containers that have been clearly marked for shredding. Employees of the clinic have also been retrained on the importance of using the correct bins for any documents containing patient PHI.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy