|
|
|
|
|
 |
 |
|
|||
|
Search:
|
Health Care Provider Agrees to Pay Nearly $1M to Texas for Mishandling Personal Data
Posted: July 28, 2008
Page Tools:
For More Information Contact:
Related Practice Areas:
Texas Attorney General Greg Abbott has announced a settlement agreement with a company for violation of state law mandates to protect personal information. The company agreed to pay Texas $990,000, including $100,000 in attorneys’ fees, and to strengthen its existing information security policies. A State Attorney General investigation found that the health care provider, Select Physical Therapy Texas L.P., in violation of state data privacy and security requirements, improperly disposed of customer records containing sensitive personal information. The settlement was reached without confirmation of any identity theft or other misuse of the personal information of individuals whose records may have been accessed due to the company’s mishandling. The Texas Identity Theft Enforcement and Protection Act requires all businesses in the state to “implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.” For purposes of the Act, “sensitive personal information” means an individual's first name or first initial and last name in combination with any one or more of the following unencrypted items:
The definition excludes publicly available information that lawfully is made available to the general public by the federal government or a state or local government. The language of the law is broad enough to encompass and protect the “sensitive personal information” maintained by employers about their employees and their employees’ dependents. The Texas Attorney General’s office investigated the company after the Levelland Police Department reported finding more than 4,000 documents containing the health care provider’s customers’ sensitive information, such as bank account numbers, medical evaluations, drug and alcohol testing verification results, plan of care forms, insurance verification sheets, and social and vocational therapy questionnaires. The police discovered the documents while apprehending a suspect crawling out of a dumpster behind the provider’s facilities. In addition to paying nearly $1 million to the state, the company must amend its existing information security procedures to ensure compliance with the state data protection laws. The settlement also requires annual training of the company’s Texas employees for the next five years. Such training must include, among other things, a mandatory course explaining identity theft, its costs to individual customers and the importance of complying with the company’s newly implemented document disposal protocol. The company must post signs detailing record storage and disposal requirements, and maintain certification records showing each employee’s compliance with the training requirements. With more states requiring businesses to safeguard personal information, including New York, California, Massachusetts, Maryland, Connecticut, and Oregon, employers need to evaluate their privacy and security practices to ensure the personal information of their employees and others is adequately protected. This is a growing concern for all businesses, particularly those with operations in more than one state. Accordingly, all businesses should consider developing a comprehensive strategy for protecting personal information. Jackson Lewis can help businesses evaluate their data privacy and security compliance needs and assist in policy analysis and drafting, as well as executive and employee training.
|
