Add this to your “small breaches, big impact” analyses. As seen on the New Zealand Herald:
A doctor’s office disclosed a patient’s childhood abuse when a letter was sent to the person’s neighbour accidentally.
The incident happened when the patient told their GP about past abuse, who referred them on to counselling to help work through issues stemming from that abuse.
The GP’s office followed up the referral by sending a letter to the patient’s house.
The envelope did not have the patient’s name on it, or a return address.
It also had the incorrect street number, and went to a neighbour’s house instead of the patient’s house.
Not knowing who the letter was for or who it was from, the neighbour opened the letter, accidentally finding out about the patient’s abuse history.
BOOM. A well-intentioned missive, undone by sloppy mailing procedures.
The Privacy Commissioner’s Office handled the complaint and there was some unspecified compensation to the patient and corrective action for the entity, but there are some bells that can’t be un-rung. Now this patient’s neighbor knows an extremely sensitive detail about their neighbor’s past. Do they try to go on as they had in the past, or does the neighbor feel obligated to say something? Does the patient feel obligated to say something? And what stops the neighbor from gossiping with other neighbors?
Do you see where these things can go?
One stupid envelope, misaddressed, with no return address.
Bah.