last year the boston globe accidently distributed printed list of customer information including customer credit cards. no reports of the data being used.

recently TJX had a security breach of their computers and an unknown amount of information inlcuding credit card number was taken. numerous reports of charges against customer accounts. TJX discovered the breach but sat in thier hands for a month until they had fixed the holes before going public. In the meantime customers were getting bogus unauthorized charges.

the list goes on and on.

Their is an implicit trust relationship in the credit card banking system. If that trust cannot be maintained the system will fail.
while it is important to encourage companies to come forward when data is exposed, what should be the penalties when companies screw up and lose control of the data?

 

I discovered a couple of years ago that nothing is sacred. Someone divulged some of my medical information to a relative who divulged it to someone else, etc., etc. and it finally came to my attention. I was horrified and discovered that a distant relative worked in the data entry section of the medical center and had loose lips with regard to my info. I took it all the way to the attorney general's office (I followed protocol and first contacted the center's health information officer). I discovered that my only recourse was to personally file a suit for punitive damages against my distant relative (and of course I didn't want to get into that). The medical center released the employee for some reason unknown to me because her privacy was protected. It was appalling to me that my medical history became the topic of discussion by other people because I thought the Privacy Act gave me some protection. It really doesn't unless you're willing to let your own personal life become public through the court system while the person who violated your privacy has more protection through the courts. If someone divulged my credit card info and it was used to cause me damage, then I think they should have to pay any damages you've sustained and compensate you for your troubles.

 

Did this happen before HIPAA was enacted? I work for an information technology company and know of several instances where medical firms have hired us to install new systems to protect patient information.

My wife works at a hospital and they take HIPAA very seriously. She won't even mention a patients name to me. There was someone we both knew in the hosptial and she didn't tell me until she asked their permission.


There was a laptop stolen from the hospital and they think there was information about patients on it. Even though they said it was password protected and hidden in the files, the hospital contracted with one of the credit reporting agencies and gave thousands of people 7 years of credit alert protection. To my knowledge nobody has been a victim of Identity theft due to the stolen laptop.

 

The same thing happened to me. My employer gave my personal and financial data to an accounting firm so they could do my taxes. An employee of the accounting firm put the data on their laptop so they could use it as sample data for a report they were creating. The laptop was then stolen out of their car. It was 4-5 months before I was notified.

I can't remember how many years of credit alerts I'm getting, but I'm sure it's less than 7. I'm really liking this credit alert thing. Getting an email every time anyone does a credit check on me is great.

 

That is currently a federal crime. HIPAA regulations require full confidentiality of medical information unless the patient specifically in writting permits the release of the data.
I work in health care, and I am currently under the care of the organization I work for. They are going through great lenghts to make sure my information is not available to my staff or anyone who works at the agency. My file is not in the regular secure file room and is only released to staff who are caring for me as they have to complete the documentation. They have to request the file from the Nursing Manager who keeps it under lock and key in her office. The office staff care for me and want to know how I am doing, but without my consent no one can talk about it. If I choose to allow information to be divulged that is different.
Breaking HIPAA regulations would get someone fired and there may be further ramifications if the patient decides to press charges.
It is the ying and yang of medical care these days. You have to maintain patient privacy and at the same time make sure that anyone who has the need to know has the information available.