Here are seven things to know:
1. An employee left a box containing patient information under her desk on Nov. 6.
2. Overnight, a temporary housekeeping staff, believing the documents in the box were recycling, moved the documents to the recycling bin instead of the confidential bin for shredding.
3. HIPAA mandates covered entities properly dispose of PHI. Acceptable methods of paper record disposal include shredding, burning, pulping or pulverizing.
4. The hospital was unable to determine which specific patients’ had their information recycled instead of shredded, but the box only contained the information of patients seen Nov. 5 and Nov. 6.
5. Potentially compromised information includes patients’ names, dates of birth, medical record numbers, genders, ages, provider or resource names, primary care providers, dates of service, patient account numbers and insurance codes.
6. San Mateo said the clinic’s manager conducted site visits Nov. 8 and Nov. 16, and instructed the clinic to no longer use recycling bins but rather immediately place confidential information into a shred bin.
7. “We regret that this incident occurred, and are reinforcing our policy that medical staff should place all documents with patient information in the confidential bin for shredding and not leave documents with patient information out overnight,” Gabriela Behn, privacy and corporate compliance officer at San Mateo, wrote in the notice to patients.
More articles on cybersecurity:
Tandigm Health: Website vulnerability exposed patients’ data
Illinois eye center notifies patients after ransomware attack
9 healthcare privacy incidents in November
