Central Valley Regional Center faces breach by human error

The California-based and state-funded provider is now notifying patients about an accidental data exposure. 

What happened

Central Valley Regional Center (CVRC) in Fresno, California, recently released a statement notifying patients of a data breach. 

According to the notice, CVRC was made aware of an incident in July and soon after launched an investigation that determined some private health and financial information may have been exposed. 

The investigation determined a janitorial service contracted by CVRC had been improperly disposing of confidential information. This information was intended to be shredded, but was instead disposed of in trash bags with other waste. 

The improper disposal of these documents took place at one of CVRC’s facilities between March 2025 and July 2025. 

CVRC provides services to individuals with developmental disabilities and noted that information involved in the incident may have been from as far back as 2015. Information may have included names, addresses, dates of birth, Social Security numbers, medical information, and other personal data. 

What’s next

CVRC stated that after the discovery, the company immediately took steps to begin properly disposing of confidential information. They have also notified federal authorities and the California State Attorney General. They are also opening a call center for those who need assistance and offering LifeLock for anyone who would like identity protection services. The organization further stated that they do not believe any information has been misused but “take seriously the commitment to protecting the privacy and security of the individuals we serve and their families.” 

Why it matters

Although not technically a business associate, the incident shows the potential vulnerabilities third-parties can bring into a healthcare organization. According to Paubox’s 2025 Healthcare Email Security Report, “third-party vendors often introduce invisible risk, and smaller orgs rarely have the oversight or leverage to enforce security best practices.” 

FAQs

Are janitorial services considered business associates? 

According to the Department of Health and Human Services (HHS), janitorial services are generally not considered business associates, as they only interact with PHI in incidental circumstances. However, they can still be involved in accidentally disclosing PHI, which was the case in this situation.  

Why is it important to shred confidential documents?

Confidential documentation should always be disposed of carefully. In fact, HIPAA requires that PHI paper records be shredded, burned, pulped, or pulverized so that it’s rendered unreadable.