DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Doubleheader: the dangers of blogging about private matters and passing the buck, Friday edition

Posted on October 8, 2010 by Dissent

I was running my usual searches and the like to find items that I might want to post to my blogs, when I came across a link to an item and where the first line or so of the entry in the search engine results looked interesting. So I clicked on the link, only to be taken to a Blogspot notice:

This blog is open to invited readers only

Well, I clearly wasn’t an “invited reader,” but I was curious and so I decided to see if I could access the entire blog entry. It took less than a minute, of course.

Sadly, the person who wrote the blog entry has no idea that what she thought is secure and private is neither. Because she does not give her email address anywhere, I cannot send her an email to alert her that if she’s really concerned for her safety as well as her privacy, she needs to secure her blog better. Or better yet, remove it from the web altogether.

In any event, here’s just a small bit of what the situation involved. I’ll assume that the facts are as she alleges:

1. She is a patient at Hospital A.
2. Hospital A grants all physicians a login that gives them access to all patients’ records, not just their own.
3. An employee of a physician who is not, and has never been, her physician has repeatedly accessed her hospital files numerous times over a multi-year period. The employee does so for the usual kind of personal reasons.

When the patient contacted the hospital, they reportedly denied all responsibility for the breach and pointed at the physician whose employee was inappropriately accessing the files.

The physician said that it was not his responsibility to protect the PHI of someone who isn’t his patient.

The medical licensing board won’t take a complaint against the physician because there is no doctor-patient relationship.

There’s a lot more, of course, but that’s the issue I wanted to address here.

Although the blogger focuses on the employee and physician, this is a matter that should be reported to HHS. The hospital has, in my opinion, clearly failed big time to control access to patient records. They have also failed to audit access logs. This is a failure on the hospital’s part.

While the patient may have some cause of action against the employee, someone needs to straighten the hospital out. if the allegations are true, their failure to take responsibility for this privacy breach is offensive, to say the least.

And no, I do not know the name of the hospital. I do wonder if they ever advised the patient that she had the right to file a complaint with HHS if she was not satisfied with their response. There’s no mention of that in her account of the breach.

Category: Health Data

Post navigation

← Ca: Tax documents dumped in back lane
AmeriCorps notifies participants and applicants of security breach →

1 thought on “Doubleheader: the dangers of blogging about private matters and passing the buck, Friday edition”

  1. Anonymous says:
    October 11, 2010 at 1:18 pm

    I can tell you what my facility would do.

    Rather than passing the buck off to the employer-physician, we would take the woman’s complaint. Then, we would run an audit of the accused’s accesses for the time frame and ask the office manager or physician to determine the reason for the accesses, in a fairly short period of time (we give them 14 days). If they couldn’t give us a valid business need for the access, we would convene a sanctions committee. Then, since we have no control over the accused’s continue employment, but we do have control over whether or not they have access to our system, we would terminate their access to the information. Whether or not they could remain employed without the access to do their job is an issue for the employer.

    We’ve done all this before, obviously.

    If the blogger has a copy of the Notice of Privacy Practices for the hospital, she has the complaint address for the facility and for HHS, since both are required elements in the NPP under the Privacy Rule. I’ve filed complaints with HHS on behalf of other people several times in the last 7 years, because I know what the law is and I expect everyone to abide by it. If we knew the name of the facility, I would have to at least consider filing one on her behalf.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach
  • Oklahoma Expands its Security Breach Notification Law
  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.
  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.