New England Dermatology Discovers Specimen Bottles Disposed of Incorrectly for 10 Years

New England Dermatology has started notifying 58,106 patients about the exposure of some of their protected health information. In an April 30, 2021 breach notice, New England Dermatology explained the privacy breach was due to the improper disposal of specimen bottles by its in-house pathology laboratory.

The lab should have been sending the specimen bottles for shredding or incineration since the specimen bottles had printed labels that included patient data covered by the HIPAA Rules; however, they were discarded as regular trash. The information on the bottles included patients’ first and last names, birth dates, dates of specimen collection, name of provider who took the specimen, and body part from which the specimen was taken. No other information was included on the labels. The regular trash, including the specimen bottles, was collected by a waste contractor that serviced the building and was sent to landfill.

The improper disposal dated back to February 4, 2011 and continued until the HIPAA violation was discovered on March 31, 2021. Any individual whose specimen(s) was analyzed by its pathology lab during that time will have had the above information exposed. New England Dermatology is unaware of any cases of attempted or actual misuse of patient data.

In response to the discovery, policies and procedures were immediately changed and further training has been provided to staff members.

Alaska Department of Health and Social Services Reports Malware Attack

On May 18, 2021, the Alaska Department of Health and Social Services (DHSS) announced that that its website,, was affected by a malware attack. The website was taken offline on May 17, 2021 to prevent harm to its servers, systems, and databases, and the website will remain offline until the attack is remediated and fully investigated.

In addition to the main DHSS website, some other systems have been taken offline including its background check system, behavioral health and substance abuse management system, the Alaska vital records system, Case Management System for TANF work activities, and the system used by schools to report vaccine data for public health purposes.

The DHSS does not know how long the investigation will take nor for how long the above systems will remain offline. It is unclear who launched the attack and the motives of the attackers. Further information will be made available to the public as details about the attack are confirmed, including if protected health information has been compromised.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.