Capstone Dental Center, PC (dba Arnerident Dental Associates) recently notified (pdf) the New Hampshire Attorney General’s Office that an email address for one doctor was typed incorrectly. As a result, attachments containing unencrypted dental information and the Social Security number of one patient were sent to the email address of a dairy farmer located in Wisconsin, who promptly contacted them about their mistake.
As much as I believe in the importance of every individual’s privacy and data protection, does it strike anyone else as absurd that this had to be reported to a state attorney general’s office? And if it does seem unnecessary or as overkill, then what should be the trigger(s) for notification to states attorney general?