Allina alerts more than 6,000 patients that data may have been thrown in trash, not shredded

Allina Health System is contacting more than 6,000 patients at a Minneapolis clinic about a potential privacy breach involving documents that apparently were thrown in the trash, rather than secure shredding bins.

There is no indication that a patient's personal information has been misused, Allina said in a statement Wednesday, and the Minneapolis-based health system said it believes the risk of unauthorized use is low.

Even so, Allina is offering one year of free credit monitoring and identity protection services to patients potentially affected.

The incident comes as the federal government's list of privacy breaches that involve protected health information from 500 or more patients keeps growing. Six breaches of that size have been reported this year from Minnesota, according to data from the U.S. Department of Health and Human Services (HHS), and about 250 breaches nationwide.

"We did report to HHS," David Kanihan, an Allina spokesman, wrote in an e-mail.

"We are not able to determine with any certainty that anyone's personal information was actually breached," Kanihan wrote. But he added: "Because the potential exists, we determined to consider this as a technical breach of unsecured protected health information … and follow the other procedures for breaches affecting 500 or more people."

On October 27, Allina discovered that in limited circumstances, containers that might have had documents with patient information were being emptied into a private trash dumpster instead of secure shredding bins, the health system said in a statement.

An investigation determined this might have been occurring since April 6 at the clinic, which is located at 2800 Hennepin Av. in Minneapolis.

Allina sent letters to all patients treated during the time period because it doesn't know which ones might have had their information sent to the trash, Kanihan said, adding that the number actually affected is "undoubtedly lower."

The majority of staff at the clinic properly disposed of paper documents during the time frame in question, Kanihan said.

For a patient to have had information mistakenly put in the trash, the clinic would have had to print documents with protected information related to that patient, which doesn't happen in all cases, Kanihan said.

In addition, the documents would have had to had been placed in the trash rather than the shredding containers, which also wasn't happening in all cases.

The documents may have included patient names, dates of birth, medical record numbers, addresses, clinical information, the last four digits of Social Security numbers and health plan information, according to the statement. Social Security numbers might have been involved, Allina said, for individuals whose health insurance ID lists their Social Security number.

"Upon discovering the situation, Allina Health promptly initiated an investigation and determined that the trash dumpster was located in a locked garage only accessible to individuals with authorized access," Allina said. "The trash from the dumpster is picked up weekly and taken to a city-owned disposal center where it is eventually incinerated."

Allina says it has since replaced containers at the clinic with containers clearly marked for shredding, and retrained clinic staff.

Patients who wish to enroll in the credit monitoring/identity protection service or who have other questions should call toll-free 1-855-559-9708 from 8 a.m. to 6 p.m. (Central Time) Monday to Friday.

Christopher Snowbeck • 612-673-4744

Twitter: @chrissnowbeck