The following article recently appeared on NAID’s web site
“MEDICAL RECORDS DUMPED IN PUBLIC RECYCLE BIN
Action 3 News – Omaha, Nebraska
October 5, 2010- Several folders containing sensitive health information were found at a public recycling bin in Omaha, Nebraska. The folders contained addresses, social security numbers, and doctor recommendations. When notified of what the bin contained, the owners of the recycling facility immediately removed it from a publicly accessible area.”
What is interesting about this news item is that it encapsulates EVERYTHING that will go wrong when private information is discarded without being destroyed beforehand; the potential for Identity Theft and fraud, the possibility of one or more entities being sued for both the security breach, and the leaking of sensitive personal medical information, the bad image and press generated for not only
those responsible for discarding the information so casually, but also the recycling center where the documents were discovered by a member of the public, who also happened to be a nurse.
The recycling center was just that, a place to take non-sensitive paper for recycling. It was not, and was not presenting its facility as, a place to destroy confidential documents.
All laws relating to privacy and security of information, and regulatory bodies stipulate that the responsibility for information shredding is with the generator of the information.
Sure, the recycling facility owner got the bad press, and whatever damage that could do to his business, but the legal responsibility, and potential for financial penalty is with the medical facility, or practice that dumped the records.
Going out of business, or closing up shop doesn’t end the responsibility either. And all of this could have been avoided by calling a certified shredding company.
The records have been linked to a local doctor’s gastroenterology practice, and it is believed that investigations are under way.