I like seeing state attorneys general take enforcement action over breaches, even if the amount of the monetary penalties is quite small, as in this case. This case may remind people who have offices or satellite offices in their homes that they can’t just leave employee or patient data lying around where anyone can see it or easily access it.
TOPEKA – (January 18, 2018) – A Topeka healthcare company and its owners have been fined for failing to protect patient and employee records, Attorney General Derek Schmidt said.
Pearlie Mae’s Compassion and Care LLC, and Ann Marie Kaiser and Jenell Jones, the owners of the company that provides care for disabled consumers, agreed to pay an $8,750 civil penalty for violations of the Wayne Owen Act, which is part of the Kansas Consumer Protection Act. The consent judgment, which was approved last week by District Judge Franklin R. Theis in Shawnee County District Court, also requires the defendants to make changes to their business practices in accordance with state laws and to pay the attorney general’s investigation costs.
In June 2017, during the course of assisting the Topeka Police Department in executing a search warrant, special agents of the Kansas Attorney General’s office observed patient and employee records containing personal information in Kaiser’s home, which also served as one office location for the company. The records were found in open view, unsecured and accessible to anyone in the residence, including persons who had no legitimate business reason to access the personal information in the records. A lawsuit filed by Schmidt in June alleged the defendants failed to implement and maintain reasonable procedures and practices to protect personal information and by failing to take reasonable steps to destroy or arrange for the secure destruction of records containing personal information when the records no longer are to be used.
“Personal information” includes information such as a social security number, driver’s license number, financial account number or credit or debit card number that can be misused to commit identity theft or otherwise harm the person whose information is compromised. It also includes any information, such as medical records, for which a security obligation is imposed by federal or state statute. Under Kansas law, businesses that collect the personal information of others have a duty to safeguard it.
A copy of the consent judgment is available here .
Source: Kansas Attorney General Derek Schmidt
h/t, WIBW