Kerbside collection, found PC items containing dental records outside dental pratice.

Lthrowitaway on 12/07/2017 - 09:05

I went to look at a property in an area that was having a kerbside collection. Outside a dental practice were a few pc items. I grabbed them, as you do :) suspecting them not to work or at least have the hard drives missing.

Get home, they are all intact and seem to be running perfectly.

Here's what is quite a surprising find:

One has no password and no data wiped! All their dental booking programs are working and I can see 1000's of peoples addresses, records, letters, etc (it contains everything you can imagine a dental practice PC may contain). This is the principal dentists PC who appears to have been in practice for over 40 years - it contains a lot of data, staff procedures, etc! It felt a little weird seeing all this so I stopped looking.
A laptop had no password either - which has a few letters to patients.

I have no intention of doing anything dodgy with the data, ever, BUT I'm somewhat annoyed I guess. This could have landed in the wrong hands and got them in all sorts of trouble, but what really annoys me how careless they have been with patients and staffs privacy.

So my reason for posting is should I bother to let them know they chucked out items without shredding data OR just do as I plan and format with a few rewrites and put the pc's and laptop to use?

It would be a really weird conversation… "you know those PC bits, well… goodbye"

Computing

Comments

  • scrimshaw on 12/07/2017 - 09:12
    +8

    Dentists might know a lot about dental health but most likely clueless about technology / computer security in general.

    Right thing to do now is to do a quick erase using DBAN https://dban.org/ (Dariks Boot and Nuke), if you can't be bothered just smash the hard drives up and buy new ones of your own.

    I'd write an anonymous email to the business stating what you found on the kerb and that they should be careful in the future etc.

    • Halo375 on 12/07/2017 - 09:15
      +2

      Totally agree with this - the dentist is unlikely to really do anything different but it would be handy for them to know. Be cautious though, they may think you're trying to blackmail them about releasing confidential data so maybe it might just be best if you wipe everything thoroughly and just go on with your life knowing you've done a good deed.

    • throwitaway on 12/07/2017 - 09:26
      +2

      I think i'll do this but as Halo375 mentioned I don't want it to have even a hint of blackmail. I suppose I could say a friendly warning, data has been wiped correctly and thanks for the kit, my kids will use it should put them at ease.

    • mattyman on 13/07/2017 - 11:53

      I'd return the drives to them and ask them to dispose of them properly according to the law. If they need advice on how to go about this, then they need to speak to the privacy commissioner.

      I find it strange that they would toss a working laptop and PC.

      I don't think you should take it upon yourself to destroy the data.

  • chumlee on 12/07/2017 - 09:18
    +11

    Report it to the Privacy Commissioner not to get them in trouble but because businesses need to meet their obligations with peoples personal information and this dental practice obviously needs help with that

    • throwitaway on 12/07/2017 - 09:33
      -4

      This is something I will definably not be doing. It is careless but given the situation, I can just imagine the setup there, old practice in a very wealthy area and the dentist who comes along with that probably has no clue about tech let alone security.

      It is never to late to learn though, hence my post about should I bother to let them know to be far more careful next time.

      • tranter on 12/07/2017 - 10:44
        +12

        It should be reported to the appropriate body because the dentist won't listen to you. The proper and safe handling of patients data is taken seriously in the industry especially if you are responsible for running a practice.

        They can provide the appropriate training required.

        This might be a start:
        http://www.dentalboard.gov.au

    • t_c on 12/07/2017 - 09:56

      Doesn't it only apply if they earn more than 3 mill?

      • inherentchoice on 12/07/2017 - 10:10
        +3

        The Australian Privacy Principles (APPs), which are contained in schedule 1 of the Privacy Act 1988 (Privacy Act), outline how most Australian and Norfolk Island Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively called ‘APP entities’) must handle, use and manage personal information.

        https://www.oaic.gov.au/privacy-law/privacy-act/

    • Geoff-bargain on 13/07/2017 - 11:37

      I came to say this too. Ignorance of the law is no excuse

  • k-rokfm on 12/07/2017 - 09:39

    What I would do is study those procedures, apply for dental college, smash it and roll in the money!

  • [Deactivated] on 12/07/2017 - 09:42
    -3

    it's against the law to take rubbish from the side walk anyway, so maybe just destroy it, just in case you get a fine.

    • WatchNerd on 12/07/2017 - 11:56
      +7

      Why would you destroy a perfectly working hard drive? Please hand in your Ozbargain membership.

  • cheepo on 12/07/2017 - 10:34
    -1

    I understand where your coming from in terms of being annoyed over privacy. Despite it being a major oversight, but we can only speculate why that data is still on there and was out on the kerb for anybody to grab.

    You may have been caught on security footage if they have them on premises and could be used against you if you they know that you have those hard drives in your possession so be cautious about contacting the clinic. Your good intentions may easily backfire.

    I would do what I think would be right by them, formatting and then dispose. If you wanted to go a step further, you can physically place several drill holes in them so they are never usable again and eliminates possibilities of somebody else trying to retrieve the data.

  • throwitaway on 12/07/2017 - 11:36
    -1

    Thanks for the comments - as I never plan to use the data, I've started formatting the drives and i'll email them to let them know to be more careful with their records.

    • Findo on 12/07/2017 - 11:52
      +8

      Don't email them, notify the relevant health bodies and the privacy commissioner. Insecure disposal of personal information is nothing to sneer at.

      • HardQuiz on 12/07/2017 - 21:17
        +1

        Agree. I don't want my health records landing in the wrong hands.

    • WatchNerd on 12/07/2017 - 11:54
      -1

      Don't contact them as they may not throw out anymore stuff for you to collect next time.
      Just reinstall windows and be happy for the freebie.

  • smux on 13/07/2017 - 08:23
    +1

    I really think you should report it; it's for the greater good. Don't think about ramifications for the business, which would be nothing because you've deleted the evidence, but think about the next lot of personal information that they'll inevitably turf out to the footpath. For them to take this seriously you should both inform the dentist and any relevant regulatory and industry bodies about this breach.

  • furys12 on 13/07/2017 - 09:18
    +2

    seems like its too late but i wouldn't format them in case its needed for evidence, mishandling of patient data is a pretty big deal there's a reason its used in so many TV shows as the macguffin, i don't care if the dentist is old and doesn't know technology they would know how sensitive patient data is just because its on a computer and they don't know computers is no excuse

    • Speckled Jim on 13/07/2017 - 10:16

      Precisely!
      It's akin to leaving an unlocked filing cabinet filled with personal info out in public. I'd want the offender sanctioned.

  • marquise on 13/07/2017 - 10:57

    How much do you need to smash a hard drive to ensure it can't be reused?

  • Sensiekatie on 13/07/2017 - 11:28

    Dentists have to register with AHPRA just as I do.

    Search their name on AHPRA to get their registration member first. Then Report it to them immediately. Even if they retired, they still must retain records safely.

    Section here on retaining records for dentists
    https://www.dentalprotection.org/docs/librariesprovider4/den…

    Check registration here
    http://www.ahpra.gov.au/registration/registers-of-practition…

    The profession is dental practitioner - this is the search - you will need also name and state.

    What they have done is against the law and they need to receive their reprimand via their registering body - who will also take it up elsewhere.

    They will do it again otherwise. This is absolutely not good enough and they deserve everything they get.

    There may be other bodies too got complaints. I have found AHPRA not helpful on the phone and a horrendous website. The dental body may be
    More helpful.

Login or Join to leave a comment
Login Join