Those of you with long-enough memories may remember an Internet radio piece I did a couple of years ago in which I told the tale of a Boston Globe photographer who was bringing his trash to his local dump and discovered a 20-by-20-foot mountain of patient records from four Massachusetts hospitals that had not properly been disposed of. (Read the original news report.)
This week, the circle closed around this as the individual doctors and the former owners of the billing company involved agreed to pay a fine of $140,000 and contribute to a state data protection fund. According to the Globe article posted on Monday, the pile of papers “included records for more than 67,000 people, including names, addresses, Social Security numbers, pathology reports for people tested for various kinds of cancer, and other test results.”
A quick trip to the calculator tells us that the penalty leveled by the Massachusetts attorney general’s office comes to $2.09 per record, give or take depending upon the specific number of people affected and the size of the fund contribution. My question is whether the punishment here fits the crime.
The cynical among us will look at this figure and conclude that it is low enough to be considered a cost of doing business for caretakers of medical records who may decide it is not worth the hassle to actually shred and/or incinerate every document in their charge. Others may decide that the aggregate sum is high enough to keep organizations on the straight and narrow, especially considering that no evidence of identity theft or other impropriety was found in the wake of the discovery of the building-sized pile of paper.
Whatever your view, I think we can all agree that the issue is beginning to become more costly to ignore that it has been before. I’m just curious to know how large this cost must become before organizations decide it is cheaper to properly dispose of their medical records than to risk being fined for carelessness or criminality.
I just got notified that I could be potentially be a member in a class action suit, because a social media site used images from a page I administer to without consent. The potential settlement = $10/person! So let’s just put this in perspective: data breach victims are awarded $2.09 per person, and social media victims could be awarded $10 per person? Does anyone else see a problem here?