Private Medical Data has been found at a recycling center in Allentown, Pennsylvania. Paper files containing names, Social Security numbers, and medical histories, including details of cancer diagnoses and sexually transmitted diseases were located that the center by a city worker.
The medical files appear to have belonged to Women’s Health Consultants, an obstetrics and gynecology firm, that is no longer in business, but that had centers in South Whitehall Township and Hanover Township, PA.
There is no evidence to show how the records came to be dumped at the recycling center. It is difficult to ascertain this as the container where the records were disposed of was not covered by surveillance cameras.
There is a locked recycling container at the center where sensitive documents containing confidential information can be destroyed securely, but that container was not used. The records were placed in a container where they could be taken and seen by unauthorized individuals.
The person who came across the files left an anonymous tip on the non-emergency line of the Allentown communication center. The Morning Call reported that a city staff member went to the recycling center and pushed the records further into the container, so they were no longer seen by the public. The container has since been shifted onto a truck and is no longer accessible. The container will be taken to a recycling company.
Pennsylvania attorney general’s office has been made aware of the privacy breach, although it is unclear whether an investigation into the incident will happen.
HIPAA legislation requires all physical records containing patients’ protected health information to be destroyed securely, rendering all information illegible and indecipherable, so that it cannot be reconstructed i any way. For paper records, this usually involves shredding, pulping, or burning the relevant files. If that process is to take place off-site, the records should be secured while they are being moved to ensure they cannot be seen by unauthorized individuals.
The failure to destroy records securely can result in a significant financial penalty, ranging from $100 to $50,000 per ioccurence, up to a maximum of $1,500,000.
The Department of Health and Human Services’ Office for Civil Rights has sanctioned healthcare organizations for improperly destroying medical records.