The following press release from North Carolina Attorney General Roy Cooper is a follow-up to a breach previously covered on PHIprivacy.net:
Dr. Ervin Batchelor of the Carolina Center for Development and Rehabilitation in Charlotte has paid $40,000 for illegally dumping files containing patients’ financial and medical information, Attorney General Roy Cooper announced Wednesday.
“Any business you entrust with your information has a duty to keep it safe,” Cooper said. “Sensitive financial and health information should never be carelessly dumped, putting customers and patients at risk of identity theft.”
Dr. Batchelor owns and operates Carolina Center, a psychological testing and treatment facility located at 6813 Fairview Road Suite D in Charlotte. In June of 2010, Carolina Center illegal disposed of 1,000 patient files by dumping them at the West Mecklenburg Recycling Center. The files contained names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, insurance account numbers, and health information for 1,600 people.
Under a state law that Cooper pushed through the General Assembly in 2005, businesses that dispose of records that contain personal identifying information are required to destroy or shred those records, so that identity thieves can’t retrieve information from discarded files that have been carelessly thrown away. Medical records also face additional restrictions under federal health privacy laws.
The records disposed of by Carolina Center were recovered by Mecklenburg County officials, who contacted the Attorney General’s Office. Cooper launched an investigation into the illegal dumping of the records, which resulted in the settlement announced today.
To resolve the investigation, Dr. Batchelor has paid $40,000 and agreed to abide by both state and federal laws that protect people’s personal financial and health information.
At the request of the Attorney General’s Office, Carolina Center has already notified the patients whose information was placed at risk. North Carolina law requires businesses as well as state and local government agencies to notify consumers if a security breach may have put their personal information at risk.
Security breaches must also be reported to the Consumer Protection Division. A total of 889 breaches involving information about more than 3.3 million North Carolina consumers have been reported since state laws on security breaches took effect in 2005 and 2006.
Based on information from concerned citizens, local law enforcement, and reporters, Cooper’s Consumer Protection Division has previously won settlements in several other document dumping cases, including a Greensboro urgent care clinic, a Gastonia movie rental store, and two mortgage lenders from the Charlotte area.
Anyone with information about a business that isn’t following the law to destroy old records and protect consumers from identity theft is encouraged to report it by calling 1-877-5-NO-SCAM toll-free within North Carolina. Consumers and businesses can also visit www.ncdoj.gov for simple ways to fight identity theft and anonline complaint form.
“If you spot a business that’s making it easy for criminals to steal your personal information, let my office know about it,” Cooper said.
Note that HHS’s summary of their investigation paints a somewhat different picture of the breach than what was originally told to the press in 2010 in terms of types of information leaked and how the breach occurred. Although CCDR originally claimed that the psychologists’ adult sons had mistakenly taken the wrong boxes to the recycling center and although the press release does not mention any specific types of financial data involved,HHS summarizes the case as:
The covered entity inadvertently sent 23 boxes containing protected health information to a recycling center. These boxes contained the names, addresses, Social Security numbers, insurance identification numbers, clinical information, and credit/debit card numbers of 1,590 individuals. Following the breach, the covered entity reviewed its policies and procedures, suspended several employees, and set up credit monitoring for those individuals affected. As a result of OCR’s investigation, the covered entity placed a record into its accounting of disclosure log for each member impacted, terminated the suspended employees, revised its policies and procedures, and retrained staff.
Were his adult sons the employees who were suspended? One wonders.