Thousands of soldiers’ and civilians’ protected health information could be at risk after a serious Army PHI breach was discovered in Fountain, Colorado.
Files containing personally identifiable information were discovered by a local news agency, carelessly dumped on the side of a remote dirt road, a clear violation of HIPAA Army regulations. The records originated at Fort Carson, an Army garrison for the 4th Infantry Division. Reporters discovered that the files contained the names, Social Security numbers, and financial records, in addition to detailed disciplinary information about sexual assaults, hate crimes, and other alleged crimes committed by soldiers.
Because health information was found in the documents, the incident could potentially qualify as a HIPAA Army breach. Many of the documents were dated between 2009-2013 and were clearly labeled for destruction after two years.
Local Colorado news agencies reached out to some of the affected individuals for comment. One woman, who asked only to be identified as “Terri,” is a civilian whose protected health information was found among the dumped documents. She works at a law office and says she’s considering legal action.
Fort Carson released a statement soon after the Army PHI records were discovered, stating that:
On September 14th, Army records containing personally identifiable information and personal health information were discovered in a field in Fountain. All known army PHI records involved in this incident have been recovered and secured by military police investigators and the investigation remains ongoing.
Fort Carson and the 4th Infantry Division take this loss very seriously. Military Police Investigators have identified a suspect in this case and all indications are that this is an isolated incident. Fort Carson officials are making every effort to contact personnel affected by this loss. The records pertain to legal actions in the 4th Infantry Division’s 3rd Armored Brigade Combat Team between the years of 2008 and 2014 and were scheduled for destruction. We fully understand our responsibilities in safeguarding personal information and will make all efforts to assist impacted individuals.
The importance of following through on the proper disposal of documents containing PHI is paramount to protecting patients’ privacy rights. HIPAA army regulation clearly outlines the need for policies and procedures governing the safe destruction of PHI. Failure to do so could result in HIPAA violations and fines.
High-profile breaches are often seized upon by OCR for investigation, but because of the sensitive nature of the documents and the ongoing Army investigation, it’s still unclear if the incident will spawn an OCR HIPAA investigation.