HealthReach Community Health Centers announced that a breach occurred as the result of improper disposal of medical records. More details are discussed below.

How Did the Breach Occur?

Disposal of Medical Records

HealthReach Community Health Centers released a statement regarding a breach that occurred due to the improper disposal of medical records. The healthcare provider contracted a third-party data destruction company (considered a business associate under HIPAA) to dispose of a hard drive containing protected health information (PHI).

It was later found that the business associate failed to properly dispose of the hard drive containing the medical records of more than 100,000 patients.

Although there is no evidence that any PHI has been misused, information contained on the hard drive included patient names, addresses, birth dates, Social Security numbers, medical insurance information, lab results, medical record numbers, and treatment records.

HealthReach Community Health Centers stated, “We are working with cybersecurity counsel to determine the actions to take in response to the incident. Together, we continue to investigate and closely monitor the situation. Further, we are taking steps to prevent a similar event from occurring again in the future, including ensuring our data storage vendors re-train employees and comply with the required safeguards as to the disposal of sensitive information.”

Patients affected by the incident are eligible for complimentary identity theft protection services including 12 months of credit monitoring, a $1 million insurance reimbursement policy, and identity theft recovery services.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

HIPAA Seal of Compliance

HIPAA Disposal of Medical Records Requirements

HIPAA imposes requirements for the proper disposal of medical records, with the intention of preventing accidental PHI exposure. 

The Department of Health and Human Services’ guidance on removal of PHI from hard drives, states, “Appropriate methods for removing ePHI from electronic media prior to reuse or disposal may be by clearing (using software or hardware products to overwrite media with non-sensitive data) or purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains) the information from the electronic media. If circumstances warrant the destruction of the electronic media prior to disposal, destruction methods may include disintegrating, pulverizing, melting, incinerating, or shredding the media.”

The National Institute of Standards and Technology (NIST) provides additional guidance on what each of these methods means, and how they are performed. 

Third Party Verification and Validation

Need Help with HIPAA?

Let our complete HIPAA solution handle it.