Last week, North Carolina Attorney General Roy Cooper announced that Dr. Ervin Batchelor, owner and operator of the Carolina Center for Development and Rehabilitation (CCDR), has paid $40,000 for the alleged illegal disposal of patients medical records.
In June of 2010, the CCDR dumped 1,000 patient files at the West Mecklenburg Recycling Center. The files contained names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, insurance account numbers, and health information for 1,600 people. Mecklenburg County officials contacted the Attorney General’s Office, which then launched an investigation into the illegal dumping.
Besides the fine, Dr. Batchelor has agreed to comply with both state and federal data security laws to protect patients' personal financial and medical information. The CCDR has already notified patients of the data breach. North Carolina law requires businesses and local government agencies to notify consumers affected by a data breach.
In North Carolina, organizations must also report data breaches to the Consumer Protection Division. A total of 889 breaches involving information about more than 3.3 million North Carolina consumers have been reported since state laws on security breaches took effect in 2005 and 2006. AG Cooper said:
“Any business you entrust with your information has a duty to keep it safe. Sensitive financial and health information should never be carelessly dumped, putting customers and patients at risk of identity theft.”
I agree. This is a good example of why it is important for all organizations that archive consumers' personal medical and financial information should have data security procedures in place to prevent data breaches. Unfortunately, several special interest groups have lobbied the U.S. Congress for exemptions to Red Flag Rules, notably physicians and accountants. Special interest groups often claim that the Red Flag Rules are an unnecessary and cumbersome burden.
Well, post data breach responses are a huge burden on organizations. The above fine is one of many costs. And, the improper disposal or theft of consumers' sensitive personal financial and medical information is a huge burden on consumers. Instead of wasting time and resources looking for ways to avoid protecting consumers' information, these groups should be doing the opposite. Protecting consumers' data is in both their and consumers' best interests.