Return of the Living Documents

PDF

Frank Johnson had been foreman at Uneeda Medical Supply Warehouse since the early 1980s. Uneeda’s president and CEO, Burt, had always trusted Frank with the big jobs such as keeping Uneeda’s sensitive records safe. Uneeda had a lot of sensitive records, including from its direct-to-patient business selling insulin pumps under a Medicare program. One day, Burt announced that the Company was “going digital” and asked Frank to dispose of old paper sales orders that Uneeda kept from its direct-to-patient sales. Frank gathered the files from the dusty cardboard boxes shoved into a supply closet. He even managed to find files Burt had stored in one of the unused cabinets in the visitor’s lobby because “no one comes in anymore — they’re all ordering online.” Frank thought he would save Burt a little money on the disposal by asking his friend Ernie at the mortuary next door to incinerate all the old documents.

Ernie’s incinerator was notoriously unreliable. “No problem,” Ernie thought, “I’ll just turn the heat up higher.” It was late and Ernie was on his third cup of coffee when the fire in the incinerator began to sputter. Ernie decided to bury the last armload in a shallow grave in the cemetery behind the mortuary, rather than try to fix the faulty incinerator. 28 days later some disaffected teens partying in the graveyard found thousands of Uneeda’s patient records scattered amongst the headstones. Now the government wants to know what else Uneeda has been hiding. Burt told local reporter Gale Weathers he “wished those records would have stayed buried!”

Don’t let old documents with personal information come back to haunt you! Follow these tips:

1. Store sensitive records, especially those containing personal or other sensitive information, in a secure place.

2. Keep an inventory of the personal information you store and track where you store it.

3. Have a document management policy that addresses document retention and destruction.

4. Be sure your policy includes a reliable process for destroying unwanted records so personal or other sensitive information is no longer readable.

5. Designate a responsible employee to carry out your data policies and procedures.

6. Select vendors and business associates carefully, and make sure they are contractually obligated to safeguard sensitive information and to bear the risk of loss of a data breach.