I had no idea that tattoo parlors have to collect and retain so much personal information, did you?
Maurielle Lue reports on a breach involving Sacred Art Tattoo in Flat Rock, Michigan:
Fox 2 found company documents containing client’s personal information, including birth certificates, drivers licenses, social security numbers and credit card information.
We talked owner Steve Fisher Sunday night. He said it wasn’t intentional, and believes his girlfriend may be to blame.
She’s to blame because he gave her access to records he should have protected and disposed of properly? How is that her fault? In any event, here comes another mind-boggling statement from the owner:
“I’m just blown away that I’ll be on the news for something I didn’t do,” he said when confronted inside his shop. “My girlfriend remodeled the house and I just tried to get rid of them. How else am I supposed to get rid of them? Burn them or throw them away?”
Burning them would be better than throwing them away unshredded. And the state law requires proper disposal after mandatory data retention – which Fisher didn’t seem to have complied with, either:
Some of the documents we found are client consent forms from as recent as last year. But the State Department of Community Health clearly requires all body art facilities to keep all records for at least 3 years, so clients can be notified of a health risk.
After 3 years are up, the State says client records may be destroyed, by shredding or incinerating, or any other manner that protects the confidentiality of all client-related documents.
Read more on MyFoxDetroit.