Maybe one day, a law or regulation will require entities to purge old data that is no longer needed or requires it to be disconnected from the internet. If anyone needs a fresh example of why we need that type of law or regulation, here it is:
Richard T. Miller, DMD, PC, d/b/a Great Neck/Mid Island Dental (“Great Neck Dental”) acquired the assets of another dental practice back in 2015. The law firm of Cooperman Lester Miller Carus LLP (“CLMC”) was hired to assist with the transaction and was provided with certain patient information.
Fast forward seven years.
On October 7, 2022, CLMC notified Great Neck Dental that it had learned that one of its partners had an email account compromised between March 27 and June 1, 2022. When CLMC reviewed the compromised account, they found patient data from Great Neck Dental that could have been accessed. Information in the partner’s email account included patients’ names, dates of birth, Social Security numbers, and dental insurance information.
Great Neck Dental is not aware of any misuse of the information. Still, it now has the obligation under HIPAA to notify 22,933 patients, many of whom may no longer be at the addresses they were at in 2015 and many of whom may never have become their patients when Great Neck Dental purchased the assets of the other practice.
In addition to the costs of investigating and notifying patients, Great Neck Dental also has the cost of offering them credit monitoring and identity restoration services for a year with IDX. DataBreaches does not know whether Great Neck Dental has any insurance policy that will cover all the costs, or if the law firm is covering costs, or some combination, but a lot of time and costs have been incurred over an easily avoided breach.
Why was protected health information from that 2015 business transaction still sitting in an email account of an unnamed law firm partner?
What security provisions did the law firm have in place with its partner, and when was the last time any of it was reviewed?
It was probably a bit of a shock to Great Neck Dental to be told that patient data from seven years previously was involved in a data breach at a firm they may never have heard of and that they may have never contracted with directly.
There are lessons to be learned or re-learned:
- Purge old data that is no longer needed for the purpose for which it was originally collected and stored. If you’re not sure you should or can purge it, then at least encrypt it and move it offline; and
- If you are the covered entity or firm contracting with a vendor, make sure you have provisions in your contract detailing should happen to protected health information at the conclusion of any services. Then monitor to make sure those provisions are followed.