June 03, 2010

Shred-it calls on healthcare leaders to make sure patient information is secure

Offers free one-time copier hard drive destruction to every healthcare organization in the United States that becomes Shred-it’s client in 2010

DALLAS, Texas – June 3, 2010 – Shred-it, an information security company that provides secure information destruction services worldwide, is pleased to offer free copier hard drive destruction to every healthcare organization that becomes Shred-it’s client in 2010. Shred-it will destroy up to 100 hard drives, a potential value of $1,200.

“Healthcare administrators selling or disposing of used photocopying machines may inadvertently do so without removing and securely destroying the hard drives that contain private medical information,” says Vincent R. De Palma, President and CEO at Shred-it, a company that serves over 1,500 hospitals and clinics worldwide.

In fact, more than 60 percent of Americans do not realize that copiers contain a hard drive that stores images, according to a recent CBS report. In the healthcare environment, information stored within copier hard drives may include personal patient data.

Releasing this sensitive information to unauthorized third-party organizations or individuals is a privacy violation and an information security threat that can potentially lead to identity theft and fraud. It is also a direct violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, which includes provisions safeguarding the privacy of patient health records.1

Shred-it's special offer of free copier hard drive destruction to every healthcare organization in the U.S. that signs a Customer Service Agreement and becomes its client in 2010 addresses this issue and raises awareness of the importance of destroying all sensitive information that is no longer needed, in both electronic and paper form.

“At Shred-it, our mission is to help organizations protect the privacy of their clients’ information. Our message to healthcare leaders is – when it comes to protecting the confidentiality of your patients, the best medicine is prevention, and the best prevention is physically destroying sensitive information that is no longer needed. Our ‘shred-all’ policy extends to paper-based and other information sources, such as copier hard drives.”

Sensitive medical information, exposed by a security breach, may be used by unauthorized parties to obtain medical treatments, benefits and prescription drugs or to tap into the victim’s insurance and bank accounts. The World Privacy Forum estimates the number of medical identity theft victims to be between 250,000 to 500,000 people each year.

In the healthcare organizational context, the cost of a security breach can be dire, including the pain and frustration of the loss of privacy, time, money and, in some cases, health, if a patient is misdiagnosed and receives wrong medical treatment as a result of fraudulently altered medical records.

Common security risks in the healthcare context include:

  • Copier hard drives, laptops, external storage drives and back-up devices and other sources with sensitive medical information stolen, misplaced or not destroyed securely when the information is no longer needed.
  • Confidential paper documents disposed of in recycling boxes or garbage bins.
  • Patient records faxed to the wrong place.
  • Plastic hospital patient cards misplaced or stolen.
  • Medical information erroneously posted on the Internet.
  • Medical files left unattended in file rooms, on staff desks and in door folders; or unrestricted physical access to sensitive medical files.


To prevent these incidents, Shred-it has a number of information security recommendations for the healthcare sector:

  • List all information security risks specific to your organization, targeting both paper-based and electronic information sources; consider every stage of the information cycle, from data generation and storage to the transfer of data from location to location and the information destruction process.
  • Develop stringent and enforceable policies regulating access to sensitive patient information, as well as the protocols for authorization and authentication of individuals accessing health information.
  • Train your employees in best practices in secure information management and destruction.
  • Securely destroy all medical information - in electronic and paper form – that is no longer required to be kept on record.
  • Outsource information destruction to high-quality professional providers, who ensure the total security of the information destruction process, and can provide documentation to certify that the chain of custody has been maintained and the work has been completed.
  • Partner with a document destruction specialist to audit your operations to help your organization identify gaps in security.

1 http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf