Paper files with information including names, Social Security details, and medical records, along with details of cancer diagnoses and sexually transmitted diseases (STDs), have been found at a recycling center in Allentown, Pennsylvania.
The files seem to have originated from Women’s Health Consultants, an obstetrics and gynecology practice based in South Whitehall Township and Hanover Township, PA. Women’s Health Consultants is no longer operating.
It is unclear how the records came to be left at the recycling center as the container where the records were found of was not covered by the surveillance cameras present at the center.
The center does have a secured recycling container where sensitive documents includinging confidential information can be disposed of safely, but that container was not the one used. The records were left in a container where they could be accessed by unauthorized people.
The individual who found the files left an anonymous tip on the non-emergency line of the Allentown communication center. According to a report in The Morning Call, a city worker visited the recycling center and pushed the records further into the container, so they were no longer clearly visible. Since the information was , the container has been loaded onto a truck and is no longer accessible by the general public. The container will now be moved to a recycling company.
The privacy breach has been made known to the Pennsylvania attorney general’s office, although it is unclear whether an investigation into the incident has been initiated.
HIPAA regulations require all physical records that include patients’ protected health information to be disposed of safely, making all information unreadable and indecipherable, so that it cannot be reconstructed. For paper histories, this typically includes shredding, pulping, or setting fire to the files. If that process is to happen off-site, the records should be secured while on the move to ensure they cannot be accessed by unauthorized people.
Failing to dispose of records safely can attract a harsh financial penalty, ranging from $100 to $50,000 per breach, up to a maximum of $1,500,000.
The Department of Health and Human Services’ Office for Civil Rights has already punished healthcare organizations for failing to dispose of medical records properly. During 2015, Cornell Prescription Pharmacy paid $125,000 to settle an improper disposal case with OCR.