Sophos Cloud Optix
Names, Social Security numbers, and medical diagnoses for more than 67,000 Massachusetts residents in the US were tossed into a public dump as is – no redacting, no shredding, no nothing – according to a press release put out by Attorney General Martha Coakley last week.
For the alleged mishandling and improper disposal of medical records, former owners of a medical billing practice, along with the doctors involved, have agreed to pay a $140,000 settlement.
According to the Boston Globe, one of its photographers noticed the pile of paper records when tossing his own trash at a Georgetown, Massachusetts dump in July 2010.
Beyond names, addresses, and Social Security numbers, the records in the pile included pathology reports for people tested for various kinds of cancer, along with other test results, according to the Globe.
The defendants involved in the settlement are Dr. Kevin Dole, former President of Chestnut Pathology Services, P.C.; Milford Pathology Associates, P.C.; Milton Pathology Associates, P.C.; Pioneer Valley Pathology Associates, P.C.; and Joseph and Louise Gagnon, d/b/a Goldthwait Associates.
According to the Attorney General, each of the four pathology groups and the Gagnons agreed to pay a total of $140,000 for civil penalties, attorney fees, and a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in Massachusetts.
The pathology groups were charged with violating HIPAA regulations as well as state data security regulations by “not taking reasonable steps to select and retain a service provider that would maintain appropriate security measures to protect such confidential information.”
Although no data breaches are known to have come from the dumping, Coakley said in the release that thousands of people were put at risk:
"Personal health information must be safeguarded as it passes from patients to doctors to medical billers and other third-party contractors."
"We believe this data breach put thousands of patients at risk, and it is the obligation of all parties involved to ensure that sensitive information is disposed of properly to prevent this from happening again."
A few other recent incidents of illegal records dumping and one much more gruesome subsequent fine than that imposed on the Massachusetts medical practice:
- Walgreen’s was fined $16.57 million in December for tossing toxic waste and customers’ personal medical information into dumpsters.
- Shredded, confidential police documents made a starring appearance as confetti in Macy’s Thanksgiving Day Parade in November.
- A $750,000 settlement with Massachusetts’ South Shore Hospital in May 2012 resolved allegations that it failed to protect the personal and confidential health information of more than 800,000 patients.
There are better, safer, more legal ways to dispose of paper than the dumpster, and they can have the added good-citizen, easier-on-our-good-earth glow of recycling.
Here’s an article full of improper-paper-handling horror stories I put together last year, along with this list of secure document handling tips:
- Appoint somebody who’ll know where sensitive customer information is stored. Then store it securely in a locked room or cabinet.
- Make sure only authorized employees have access. Ensure that storage areas are protected from physical hazards, like fire or floods.
- Maintain secure backup records and keep archived data secure by storing it offline and in a physically secure area.
- Have a retention schedule that takes into account an organization’s legal, regulatory and operational requirements. Determine guidance on how long records need to be kept, as well as what to do with them when the business doesn’t need them anymore.
- Tandberg Data’s Guide to Data Protection Best Practices [PDF] advises us that when you try to figure out what paper needs to stay around and what can be destroyed, you should work with your legal department or advisor, along with anybody in the organization who actually works with the materials.
- Don’t cheap out. Make sure you use a recycler that’s certified with NAID, the National Association for Information Destruction, which is an international organization.
I’ve said it before, and I’ll say it again: Happy cross-hatch shredding.
Garbage bag, folders and paper shredding images courtesy of Shutterstock
I didn"t know that medical records could be destroyed until 100 years after the death of the patient they were being kept for.
What are you saying, Freida? Do you think medical professionals Should or Shouldn’t be kept 100 years after their death?
Oh! I haven’t read the PDF yet. Does it state 100 years? If so, that’s crazy.
"Although no data breaches are known to have come from the dumping,"
"Coakley said …We believe this data breach put thousands of patients at risk,"
data breach:
"You keep saying that word… I don't think it means what you think it means"
In other words, either there was; or there wasn't. It can't be both.
Nonetheless, the fact that its known that all that data was there means SOMEONE found it out. Isn't that the definition of breach?
oh geez, you're absolutely right. that was sloppy. I should have said "identity theft" or something like that. thanks for calling me out on that, Connie.
Why do people still today tout recycling paper as a "Save the Trees" effort?
The trees from which we make paper are GROWN TO MAKE PAPER. So if we were to find a way to never have to make new paper, and be able to recycle all the paper in the world forever, we'd have LESS TREES!