I’m not sure I understand from the notification (reproduced below) how this incident occurred, but Central New York Cardiology is notifying 824 patients after the post office sent them a package of patient records that had been found loose in a mail receptacle.
The records were appointment lists from October 2017 that, according to CNYC, should have been securely shredded by an unnamed HIPAA-compliant vendor.
So how did those appointment lists wind up in a mail receptacle at all? Does CNYC mail the to-be-shredded records to their vendor, or does the vendor come into possession of them another way? Did someone find the records and just toss them in a mail receptacle? What happened here?
The records in question contained the patients’ appointment information: name, type of visit, and in some cases, health insurance information.
In response to the incident, CNYC has taken a number of steps, including switching from paper appointment lists sent to their various offices to electronic transmission of appointment lists. It’s not clear from their notification what, if anything, they are doing with respect to the unnamed vendor.