Nursing home company failed to protect patient and employee records, banned from doing business in KS


A Georgia nursing home company has been banned from doing business in Kansas for 10 years and fined $100,000 for failing to protect patient and employee records, Attorney General Derek Schmidt said today.

AltaCare Corporation, of Alpharetta, Georgia, which was doing business as Pinecrest Nursing Home in Humboldt, has been prohibitied from doing business in the state of Kansas for 10 years from the effective date of a consent judgment approved earlier this week by Chief Judge Daniel D. Creitz in Allen County District Court. The company was also ordered to properly destroy all Pinecrest Nursing Home records at the company’s expense by shredding, erasing, or otherwise modifying the personal information in the records to make them unreadable.

The judgment resolves a lawsuit filed by Schmidt in May 2017 alleging AltaCare, as the manager of Pinecrest Nursing Home, violated Kansas data-protection laws by failing to implement and maintain reasonable procedures and practices to protect personal information and by failing to take reasonable steps to destroy or arrange for the secure destruction of records containing personal information when the records no longer are to be used.

NUInvestigators with the Attorney General’s Consumer Protection Division learned that Pinecrest Nursing Home was unsecured and was broken into and vandalized by unknown persons multiple times after the facility closed in 2011. Records containing personal information had been left observable and accessible in plain sight. Although Humboldt city officials notified AltaCare that the records were not secure within the Pinecrest building, the company failed to take action to protect those records and the personal information they contained.

The attorney general’s office secured the records to prevent further potential unauthorized disclosure of personal information.

“Personal information” includes information such as a social security number, driver’s license number, financial account number or credit or debit card number that can be misused to commit identity theft or otherwise harm the person whose information is compromised. It also includes any information, such as medical records, for which a security obligation is imposed by federal or state statute. Under Kansas law, businesses that collect the personal information of others have a duty to safeguard it.

In addition, AltaCare agreed to pay a $100,000 fine and to reimburse the attorney general’s office for the cost of the investigation. An additional fine of $125,000 is suspended on condition that the company remains in compliance with the terms of the judgment.