DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

HHS Settles Charges Against Cornell Prescription Pharmacy Over Disposal of Records

Posted on April 24, 2015 by Dissent

Cornell Prescription Pharmacy (Cornell) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule with the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Cornell will pay $125,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program. Cornell is a small, single-location pharmacy that provides in-store and prescription services to patients in the Denver, Colorado metropolitan area, specializing in compounded medications and services for hospice care agencies in the area.

OCR opened a compliance review and investigation after receiving notification from a local Denver news outlet regarding the disposal of unsecured documents containing the protected health information (PHI) of 1,610 patients in an unlocked, open container on Cornell’s premises. The documents were not shredded and contained identifiable information regarding specific patients. Evidence obtained by OCR during its investigation revealed Cornell’s failure to implement any written policies and procedures as required by the HIPAA Privacy Rule. Cornell also failed to provide training on policies and procedures to its workforce as required by the Privacy Rule.

“Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” said OCR Director Jocelyn Samuels. “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”

In addition to the $125,000 settlement amount, the agreement requires Cornell to develop and implement a comprehensive set of policies and procedures to comply with the Privacy Rule, and develop and provide staff training. The Resolution Agreement can be found on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cornell/cornell-cap.pdf

OCR offers helpful FAQs concerning HIPAA and the disposal of protected health information:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/ocr/office

SOURCE: HHS

NOTE from DataBreaches.net: According to the resolution agreement:

On January 13, 2012, the HHS Office for Civil Rights (OCR) initiated a compliance review and investigation of CPP following receipt of a media report dated January 11, 2012. Specifically, OCR received a report from 9 News, the Denver National Broadcast Company news affiliate, that protected health information (PHI) maintained by CPP was disposed of in a dumpster that was accessible to the public.

If this breach affected over 1,600 patients, how is it that this incident was never included in HHS’s public breach tool? I did not see the media coverage at the time and so this breach was never reported on PHIprivacy.net, but why didn’t HHS list it?

Category: ExposureHealth DataOf NotePaperU.S.

Post navigation

← TX: Killeen Trio Sentenced to Federal Prison for Tax Refund Fraud Scheme
CA: Pittsburg residents charged with stolen identity refund fraud →

2 thoughts on “HHS Settles Charges Against Cornell Prescription Pharmacy Over Disposal of Records”

  1. Edwina says:
    May 1, 2015 at 8:29 pm

    I have had medication filled at this pharmacy I’m wondering since I do get controlled medications can this jeopardize my safety and where I live.

    1. Dissent says:
      May 2, 2015 at 10:00 am

      Did you get any notification letter that your information was caught up in the breach (at least the one they detected)?

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • 16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide
  • Russian national and leader of Qakbot malware conspiracy indicted in long-running global ransomware scheme
  • Texas Doctor Who Falsely Diagnosed Patients as Part of Insurance Fraud Scheme Sentenced to 10 Years’ Imprisonment
  • VanHelsing ransomware builder leaked on hacking forum
  • Hack of Opexus Was at Root of Massive Federal Data Breach
  • ‘Deep concern’ for domestic abuse survivors as cybercriminals expected to publish confidential abuse survivors’ addresses
  • Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
  • Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • Privilege Under Fire: Protecting Forensic Reports in the Wake of a Data Breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law
  • Telegram Gave Authorities Data on More than 20,000 Users
  • Police secretly monitored New Orleans with facial recognition cameras
  • Cocospy stalkerware apps go offline after data breach
  • Drugmaker Regeneron to acquire 23andMe out of bankruptcy

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.