Data Breaches at Iowa Department of Human Services and Cedarbrook Nursing Home

The Iowa Department of Human Services sent notification letters to 4,784 people regarding the potential compromise of their protected health information (PHI).

On November 25, 2019, a member of the department staff threw away documents that contain the PHI of Dallas County customers in a regular garbage dumpster. The records should have been shredded prior to disposal. The improper disposal was discovered late as the dumpster was already emptied. An investigation of the incident revealed that the custodial employee who threw away the paperwork did not know that the content of the documents were confidential data.

It was impossible to identify the names of the patients affected, and so the Iowa Department of Human Services sent notification letters to all people potentially affected by the breach. The information contained in the documents likely included names, birth dates, mailing addresses, Social Security numbers, driver’s license numbers, disability data, medical details, banking and wage data, receipt of Medicaid, mental health data, names of provider, prescription medications, and data on substance abuse and illegal drug use.

Impermissible Disclosure of Prescription Data of Cedarbrook Nursing Home Residents

Cedarbrook nursing home in Lehigh County, PA sent notification letters to 688 residents because their prescription data was inadvertently shared with firms wanting to tender for the pharmacy contract of the nursing home.

Cedarbrook nursing home sent an email with the wrong file attachment to 16 firms in December 2018. The correct file included invoice data showing the medicines prescribed from October to November. The attached file also listed the names of the patients who were given those prescribed medicines.

The mistake was uncovered immediately. Cedarbrook nursing home requested all 16 companies to delete the file. All 16 HIPAA-covered companies confirmed that they have deleted the file.

As a precautionary measure, all affected persons received a notification regarding the privacy breach. It is believed that there is a low risk of patient data misuse. The nursing home has updated its procurement procedures and necessitate supervisory inspection of the outgoing contract information prior to dispatch.