NC: Prompt Med Fined for Improper Disposal of Records
Following up on a breach previously covered here and here, the North Carolina Attorney General’s Office released this statement yesterday:
A Greensboro urgent care center has paid $50,000 because its patients’ financial and medical information were illegally disposed of in a dumpster, Attorney General Roy Cooper announced Friday.
“When you share your personal information with a business, you expect it to be secure,” Cooper said, “Businesses have a duty to make sure your information isn’t just thrown in the trash where identity thieves or other criminals could find it.”
Under a state law that Cooper pushed through the General Assembly in 2005, businesses that dispose of personal identifying information are required to destroy or shred those records, so that identity thieves can’t retrieve information from discarded files that have been carelessly thrown away.
However, four boxes of patient records from the Prompt Med at 3402 Battleground Avenue in Greensboro were found in a dumpster at East Cone Boulevard and Summit Avenue in August 2009. Approximately 600 files were recovered containing personal information on 757 individuals. The records contained names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, and insurance account numbers, as well as personal health information.
Cooper launched an investigation into the illegal dumping of the records, which resulted in the settlement announced today.
Under the settlement, Prompt Med is permanently barred from improperly disposing of patient records and has paid $50,000, including $26,650 in civil penalties that will go to public schools. The remaining $23,350 will go to fund consumer protection education and enforcement efforts, and to cover the costs of the Attorney General’s investigation into the company. In addition, Prompt Med also paid an additional $50 for proper destruction of the illegally dumped records.
At the request of the Attorney General’s office, Prompt Med previously reported the incident as a security breach and notified consumers whose information was placed at risk. A security breach happens when records containing personal information are lost, stolen or inappropriately displayed.
North Carolina law requires businesses as well as state and local government agencies to notify consumers if a security breach may have compromised their personal information. They must also report breaches to the Consumer Protection Division. A total of 471 breaches involving information about more than 2.2 million North Carolina consumers have been reported since state laws on security breaches took effect in 2005 and 2006.
Cooper’s office found out about the dumping of Prompt Med records thanks to reports from a local television station. Based on information from concerned citizens, local law enforcement, and reporters, the Attorney General’s Consumer Protection Division is currently investigating several other cases of reported document dumping by a non-profit in Charlotte, a mortgage lender in Morehead City, a doctor’s office in Roanoke Rapids, and a business in Caldwell County.
Anyone with information about a business that isn’t following the law to destroy old records and protect consumers from identity theft is encouraged to report it by calling 1-877-5-NO-SCAM toll-free within North Carolina. Consumers and businesses can also visit www.ncdoj.gov for simple ways to fight identity theft and an online complaint form.
“Businesses owe it to their customers to keep their personal information safe,” said Cooper. “If you spot a business that’s making it too easy for criminals to get their hands on your information, let my office know about it.”
Investing $50 in shredding could have saved the company $50,000. There’s probably a lesson in there somewhere.
Kudos to the NC Attorney General’s Office for investigating and pursuing these cases.
Cross-posted from PHIprivacy.net