Whoops, a dentist office down the street from my house seems to have lost the personal data of 60 or so patients. Faulty data security? Open wireless access point exploited? Nope, something a little more simple: A failure to shred paper records.
Aspen Dental in Nashua, N.H., threw out a bunch of paperwork containing patient names, addresses, dates of birth and partial Social Security numbers. Its trash contractor, Waste Management, seems to have dropped the bag of trash on a major thoroughfare in town (one I drive on every day) with the paperwork left blowing in the wind. The local paper, after a tip from a nearby business, picked up many of the pieces and began contacting affected patients as well as Aspen Dental. Needless to say, the patients weren't too pleased. Aspen didn't seem too happy either, although they claim it is out of their hands and the trash contractor is to blame. Aspen also claims they were in compliance with HIPAA regulations when disposing of the trash.
Now, I am not a HIPAA expert, so I don't know if Aspen is in the clear on the regulatory issue. But two things need to happen as a result of this case:
Coincidentally, this week's Voices from IT Roadmap podcast talks about security compliance at a healthcare company. Paul VanAmerongen, manager of Information Security Services at MultiCare Health System in Washington, says that when it comes to building business processes to deal with compliance start with a common sense approach that encompasses how you would want your own data treated then tweak to comply with the letter of the law.
In this weeks' case of Aspen Dental, common sense would have said, "Shred the documents."
The Leader in Network Knowledge
