Central Valley Regional Center, based in Fresno, California, provides services to persons who have developmental handicaps. It informed patients concerning the recent leakage of paper documents that contain their personal data. There is no announcement about the number of impacted persons.
Central Valley Regional Center hired a new vendor that offered janitorial services. In July, Central Valley Regional Center found out that the new janitorial services provider was disposing of sensitive documents together with normal garbage. The documents were put in containers for garbage and ought to have been shredded. The vendor had been throwing away the documents in garbage bags together with normal garbage.
The investigation revealed that one Central Valley Regional Center facility was involved in the improper disposal of documents between March 2025 and July 2025. The documents most likely contained information such as names, addresses, birth dates, other personal details, Social Security numbers, and medical records. Central Valley Regional Center submitted the incident report to police authorities, the California State Department of Developmental Services, the California Attorney General, and reviewed all vendor contracts, together with policies associated with data privacy and security practices.
Additionally, steps were undertaken to avoid identical occurrences later on, which include the following measures:
- Putting locks on all shredding containers
- limiting access to shredding containers to its authorized shredding vendor
- changing janitorial service measures to give more precise guidelines on garbage disposal
- putting up signs about the correct waste disposal steps
- carrying out regular audits to ensure adherence to internal guidelines and procedures
- affirming goals concerning privacy and data security with its vendors
The impacted persons received mail notifications and offers of identity protection support.
Incidents of improper disposal are rather uncommon; however, they can bring about the leakage of large amounts of PHI. The incident warns other healthcare providers regarding the value of giving clear directions to service providers concerning their accountabilities with regard to private data, which includes service companies that deal with physical PHI.