Arkansas suit shows why trust can’t be assumed in biometrics matters

The operator and owners of a former hospital in Arkansas are going to court because they allegedly abandoned their patients’ biometric data when the facility closed.

According to reporting by Arkansas Business, executives closed the Eastern Ozarks Regional Health System hospital, in Sharp County, without destroying thousands of patient and employee records left on the site.

The state attorney general’s office visited the hospital last fall and found doors unlocked and windows broken. Offices reportedly had been ransacked and some number of personal files had been rifled.

Those files, according to a civil suit filed by the state, contained biometric and medical information as well as social security, business account and driving license numbers.

The state filed case number 68CU-22-33 on March 17 against a number of defendants including Country Medical Services, operator of the services, and business owners Theresa Hanson of Deland, Florida, and Robert Becht of Hartsville, Tennessee.

They violated Arkansas’ 2005 Personal Information Protection Act (PIPA) and its Deceptive Trade Practices Act.

PIPA requires that anyone acquiring, owning or licensing the personal information of a state resident to destroy the data or arrange for its “reasonable security.” This did not happen in the case of Eastern Ozarks.

The business opened in 1995 and had grown to multiple buildings on the site until December 2004, when the defendants “abruptly and immediately” shut the whole business down, according to the lawsuit.

According to Arkansas Business, the state’s health department recorded 33 or more possible violations in 2004 related to the company’s inability to provide emergency services, likely precipitating the closing.

Civil penalties of up to $10,000 per violation could be levied for the loss of unsecured biometrics and other personal data.

The cost of running afoul of biometrics laws can be sobering.

Just this week, the U.S. Court of Appeals for the Ninth Circuit upheld an earlier judgment that attorneys for the plaintiffs in Facebook’s milestone $650 million privacy settlement are entitled to $97.5 million in fees.

Article Topics

biometric data  |  biometrics  |  data protection  |  data storage  |  healthcare  |  lawsuits  |  legislation  |  patient identification  |  privacy  |  United States