Secure destruction professionals as well as their customer too often think of Data Breach Notification as a byproduct of massive cyber breaches.  However, while they have admittedly been few and far between, improper hard copy disposal is also subject to such measures.

Last month, the University of Tennessee Medical Center had to inform some 8,000 patients that the hospital had discarded records without shredding them first. While a hospital spokesperson put forth some garbage (excuse the pun) about waste disposal itself being “secure,” it still had to comply with HIPAA/HITECH’s health data breach notification provision.

This type of publicity should have medical facilities across the US reevaluating their information destruction policies.  And for future reference, after February 18th of next year this could have been ruled as willful neglect under the new HITECH mandatory fine structure, with a fine that would have hypothetically reached the maximum threshold at $1,500,000.00.