HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Crown Point Medical Tests Discovers HIPAA Violation

A former business belonging to Crown Point Medical Tests has violated the Health Insurance Portability and Accountability Act (HIPAA) after it failed to securely dispose of files containing the Protected Health Information (PHI) of at least 167 individuals. The victims had previously had medical tests processed through My Fast Lab.

My Fast Lab was founded by Barry Walker of Cedar Lake in 2013, although the business is no longer in operation. The company was known for its highly discounted medical testing services, which were advertised as being up to 70% less than competitor rates.

However the business did not survive, and the former office of the company has since been listed. Some of the contents of the facility, including patient files, have been dumped along with regular commercial waste in a public area, in violation of HIPAA Rules. HIPAA demands that PHI is securely and permanently destroyed when it is no longer required.

Highly Sensitive Data Dumped in Public

The files were found by a local resident at the back of a Crown Point strip mall. While taking out the trash from the pizza restaurant where he worked, Adam Mitchell noticed a number of items in the dumpster which looked like they could be of value.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

He saw two blood centrifuges, a digital printer and some discarded medical supplies, along with what appeared to be a number of paper files. Mitchell was aware that sensitive data could not be disposed of in public dumpsters. He retrieved the files that had not been irreparably damaged by liquid waste. 17 files were recovered in total.

The data contained in the files was of a highly sensitive nature, and included medical test results such as paternity tests, drug screening information and tests for sexually transmitted infections. Patients’ names, addresses and telephone numbers were listed along with Social Security numbers, Driver’s license numbers, insurance card numbers, blood types, and credit card numbers. Credit card expiry dates and security codes were also listed in the files.

Mitchell wasn’t sure what he should do with the information so called one of the numbers on the list – that of a local businessman – who was annoyed to discover the disclosure of his personal information. Mitchell was subsequently advised to alert the press, and contacted a newspaper run by the Times Media Co. The matter has now been reported to the state Attorney General and the files have been collected and secured.

It is not clear at this stage how the data got from the disused offices to the dumpster. What is clear is that My Fast Lab should have prevented this disclosure from occurring. The Indiana attorney general is likely to take action for the HIPAA violation.

The state AG has already exercised his right to take action over the illegal dumping of medical records. A fine for $12,000 was issued to Joseph Beck earlier this year for failing to securely dispose of medical records.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.