DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

HIPAA Follies, Monday Edition: Tweeting that your sloppy security resulted in data theft

Posted on October 11, 2010 by Dissent

I’ve reported a number of instances where employees have been disciplined or terminated for imprudent postings on Facebook or MySpace, but a series of tweets I saw on Twitter yesterday demonstrate how to simultaneously diminish the public’s confidence in HIPAA while risking your own future,  140 characters at a time.

It started with a twitterer sharing that her car had been broken into:

They got me http://plixi.com/p/49518579

Later, she tweeted:

@KiraNthaCity Im good…They broke into my car again..And we was just talkin about that happening..Im gonna get a new car soon

Note the “again” as we’ll get back to that.  But here’s the first really stunning tweet:

@KiraNthaCity All they took was my clients Info…Just a Bunch of HIV Paperwork…HIPPA is gonna Sue my Ass!

Apart from the fact that she calls it “HIPPA” and not “HIPAA” – a mistake that often makes me wonder whether some people have really paid attention to the law  –  what does this tweet reveal about concern for privacy when she seemingly minimizes data loss as  “All they took” and “clients Info…Just a Bunch of HIV Paperwork?”

Would her clients agree that it was not a big deal that their information was stolen?   Does the tweet reflect any concern for the affected clients?  When another twitterer offered commiseration, she responded:

@Mr_Steal_UrGirl Its all Good Bro…Grain of Salt. Good Luck with your event today..WIsh I were there!

Having confidential data you were responsible for stolen is a “Grain of Salt?”

All I see in her tweets is concern for her car (I’m sure that we’re all very relieved that she got the window repaired promptly) and some possible concern for herself because of HHS/HIPAA “suing her ass.”

How can these types of tweets possibly be good for engendering trust in the public that HIPAA-covered entities take our responsibilities seriously?

Given that this was not the first time her car was broken into and she was clearly well aware of the risk (her broken into “again” tweet), why did she leave PHI in her car?   From the picture she uploaded, it appears that the papers may not have  even been in the trunk, but in the main compartment of the car.  No HIPAA-covered entity should ever be leaving unsecured PHI in their car (indeed, I would argue that leaving any PHI in a car automatically makes it unsecured), but to leave it in your car after your car has already been broken into once is just — what’s the word I’m looking for?  Negligent?  Of course, this is all just my opinion, based on her tweets, but they really do create an awful impression.

I do not know whether she has, or will, report the breach to her clients, HHS and to the state of California, whose laws would now seemingly require her to report this breach.  I’m basing my guess  that it’s a reportable breach on her statement that the incident falls under HIPAA.  If it does, in fact, require reporting and she doesn’t report it, it wouldn’t be difficult for HHS or the state of California to determine who she is should they so desire.

In today’s world of sharing too much, it’s helpful to remember that some things are still best left unshared.  Having sensitive data stolen because you were lazy or sloppy with security is not the kind of thing that is advisable to share all over social media.   Demonstrating that you think so little of the security and privacy of clients’ HIV info or the possible impact of the breach on your clients is also best left unshared.


Related:

  • Paying cyberattackers is wrong, right? Should Taos County's incident be an exception? (1)
  • HHS OCR Settles HIPAA Ransomware Investigation with Syracuse ASC for $250k plus corrective action plan
  • Two more entities have folded after ransomware attacks
  • Data breach feared after cyberattack on AMEOS hospitals in Germany
  • Premier Health Partners issues a press release about a breach two years ago. Why was this needed now?
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
Category: Health Data

Post navigation

← Pointer: Lessons from HHS Breach Data
Oracle database admins acknowledge security gaps →

1 thought on “HIPAA Follies, Monday Edition: Tweeting that your sloppy security resulted in data theft”

  1. Anonymous says:
    October 11, 2010 at 8:57 pm

    HIV private information will have a bigger impact in “the clients” and is hardly punished by HSS because not only potential identity theft but the reputation of the “Client”

    To bad for this lady her rear end could be in real fire

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure
  • Hacker group “Silent Crow” claims responsibility for cyberattack on Russia’s Aeroflot
  • AIIMS ORBO Portal Vulnerability Exposing Sensitive Organ Donor Data Discovered by Researcher
  • Two Data Breaches in Three Years: McKenzie Health
  • Scattered Spider is running a VMware ESXi hacking spree
  • BreachForums — the one that went offline in April — reappears with a new founder/owner
  • Fans React After NASCAR Confirms Ransomware Breach
  • Allianz Life says ‘majority’ of customers’ personal data stolen in cyberattack (1)
  • Infinite Services notifying employees and patients of limited ransomware attack
  • The safe place for women to talk wasn’t so safe: hackers leak 13,000 user photos and IDs from the Tea app

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Congress tries to outlaw AI that jacks up prices based on what it knows about you
  • Microsoft’s controversial Recall feature is now blocked by Brave and AdGuard
  • Trump Administration Issues AI Action Plan and Series of AI Executive Orders
  • Indonesia asked to reassess data privacy terms in new U.S. trade deal
  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial
  • Wikipedia seeks to shield contributors from UK law targeting online anonymity
  • British government reportedlu set to back down on secret iCloud backdoor after US pressure

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.