PHI Potentially Exposed at Iowa Department of Human Services and Cedarbrook Nursing Home

The Iowa Department of Human Services informed 4,784 people concerning the potential exposure of their protected health information (PHI) because of improper disposal of documents.

On November 25, 2019, a member of the DHS staff put documents containing the Dallas County clients’ PHI together within the regular garbage dumpster. The staff should have shredded the documents before disposal. DHS was late in discovering the improper disposal as the dumpster had been emptied already. The incident investigators learned that the custodial employee who disposed of the records wasn’t aware that the documents contained confidential information.

It was not possible to determine the names of the patients impacted by the incident, therefore the Iowa Department of Human Services notified all individuals possibly impacted by the breach. The documents contained information such as names, mailing addresses, birth dates, driver’s license numbers, Social Security numbers, disability information, medical information, banking and wage records, Medicaid receipt, mental health information, names of provider, prescription drugs, and information on substance abuse and illegal drug use.

Impermissible Prescription Data Disclosure at Cedarbrook Nursing Home

688 residents of Cedarbrook nursing home in Lehigh County, PA received notification letters that their prescription information was shared by mistake with companies hoping to tender for the nursing home’ pharmacy contract.

In December 2018, Cedarbrook nursing home emailed the wrong file attachment to 16 companies. The correct file contained invoice data and the prescribed medicines for the period of October to November. The attached file additionally listed the patients’ names who received those prescribed medications.

Cedarbrook nursing home discovered the mistake immediately and asked the 16 companies to get rid of the file attachment. Confirmation of file deletion was received from all 16 HIPAA-covered companies.

As a safety precaution, Cedarbrook sent notifications to all affected persons concerning the privacy breach, even if the possibility of patient data misuse is low. The nursing home already updated its procedures for procurement and now require the supervisor to inspect outgoing contract data before dispatch.