OIS Commentary: Is this really necessary?
Capstone Dental Center, PC (dba Arnerident Dental Associates) recently notified (pdf) the New Hampshire Attorney General’s Office that an email address for one doctor was typed incorrectly. As a result, attachments containing unencrypted dental information and the Social Security number of one patient were sent to the email address of a dairy farmer located in Wisconsin, who promptly contacted them about their mistake.
As much as I believe in the importance of every individual’s privacy and data protection, does it strike anyone else as absurd that this had to be reported to a state attorney general’s office? And if it does seem unnecessary or as overkill, then what should be the trigger(s) for notification to states attorney general?