Went bankrupt. CEO got three months of suspended sentence and had to return the millions he made selling shares of the company after the data breach but before it was known publicly.
While unauthorized access to therapy notes is bad, I think there's a difference in scale.
You probably don't bring all of your notes from your whole practice with you on the train to lose. If you do bring some of your notes with you and leave them on the train, there's a good chance they will be returned without being accessed by the returner, or be collected as trash, again with no access. Even if there is some access, it's less likely that they'll be widely distributed, because they'd need to be digitized or otherwise copied first, and that's a lot of effort.
If the person who picks up your notes on the train is nefarious or even maybe just curious and happens to know the people in your notes, there's potential for negative outcomes for your patients, but IMHO, the probability of a negative outcome for patients given an incident of unauthorized access is lower with paper records than digital records. I don't know if I can really opine on the probability of unauthorized access --- digital records open up the possibility of more effective controls on access than a filing cabinet; you can't audit which records were read when an authorized person opens a cabinet to get some records and looks around at others.
The likelihood of patient files being found on a train and mass exploited are really low. Most people would either try to do the right thing or just trash them. The average train rider isn’t looking to ruin someone’s day.
The same cannot be said for the average unprotected database scanner.
https://github.com/SKKU-SecLab/AdFlush/tree/main?tab=readme-...
But since the first webpage I tried still had huge ads, I turned uBlock back on ;)