Iowa Department of Human Services Notifies 4,784 Patients About Improper Disposal Incident

The Iowa Department of Human Services has announced that the protected health information of 4,784 individuals has accidentally been exposed.

On November 25, 2019, a member of staff disposed of documents containing the protected health information of Dallas County clients in a regular garbage dumpster, instead of sending the records for shredding. By the time the improper disposal incident was discovered, the dumpster had been emptied. An investigation was launched which revealed the custodial employee who disposed of the paperwork was unaware that the documents contained confidential information.

It was not possible to determine exactly which patients were affected, so notification letters were sent to all individuals potentially impacted by the breach. The documents likely contained information such as names, dates of birth, mailing addresses, driver’s license numbers, Social Security numbers, disability information, medical information, banking and wage information, receipt of Medicaid, mental health information, provider names, prescriptions, and substance abuse and illegal drug use information.

Update: 02/04/2020: The breach report submitted to the HHS’ Office for Civil Rights indicates 4,501 individuals were affected by the breach.

Cedarbrook Nursing Home Residents Notified of Impermissible Disclosure of Prescription Information

688 residents of the Cedarbrook nursing home in Lehigh County, PA are being notified that their prescription information was accidentally shared with companies interested in tendering for the nursing home’s pharmacy contract.

An email was sent to 16 companies in December 2018 with an incorrect file attachment. The correct file contained invoice information detailing the medications prescribed in October through November. The file attached to the email included the names of the patients who received those medications.

The error was discovered promptly, and requests were sent to all 16 companies asking for the file to be deleted. All 16 companies, which were HIPAA-covered entities, confirmed that the file had been deleted.

All affected individuals have been notified about the privacy breach out of an abundance of caution. The risk of misuse of patient information is believed to be very low. Procurement procedures have now been updated and require all outgoing contract information to be checked by a supervisor prior to being sent.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.