California Business Associate Improperly Disposed of Patient Data
Central Valley Regional Center, a Fresno, California-based state-funded provider of services to individuals with developmental disabilities, has notified patients about the recent exposure of physical documents containing their personal information. The number of affected individuals has yet to be announced.
Central Valley Regional Center employed a new vendor that provided janitorial services. In July, Central Valley Regional Center discovered that the company had been disposing of confidential documents along with regular trash. The documents had been placed in bins for confidential waste and should have been shredded. The vendor had been emptying the shredding bins and disposing of the documents in trash bags along with regular waste.
The investigation revealed that the improper disposal of documents occurred between March 2025 and July 2025 at one Central Valley Regional Center facility only. The documents likely included information such as names, addresses, dates of birth, other personal data, medical information, and Social Security numbers. The incident has been reported to law enforcement, the California Attorney General, the California State Department of Developmental Services, and all vendor contracts have been reviewed, along with policies relating to data privacy and security protocols.
Further, steps have been taken to prevent similar incidents in the future, including adding locks to all shredding bins, restricting access to shredding bits to its approved shredding service provider, revising janitorial service procedures to provide more explicit instructions on waste disposal, adding signage regarding proper waste disposal procedures, implementing routine audits to ensure compliance with internal policies and procedures, and affirming expectations regarding confidentiality and data protection with its vendors. The affected individuals have been notified by mail and have been offered identity protection services.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Improper disposal incidents are relatively rare, yet they can result in the exposure of large amounts of PHI. The incident should serve as a warning to other healthcare organizations about the importance of providing clear instructions to service providers about their responsibilities with respect to confidential information, including service providers who may encounter physical PHI.
