DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Doubleheader: the dangers of blogging about private matters and passing the buck, Friday edition

Posted on October 8, 2010 by Dissent

I was running my usual searches and the like to find items that I might want to post to my blogs, when I came across a link to an item and where the first line or so of the entry in the search engine results looked interesting. So I clicked on the link, only to be taken to a Blogspot notice:

This blog is open to invited readers only

Well, I clearly wasn’t an “invited reader,” but I was curious and so I decided to see if I could access the entire blog entry. It took less than a minute, of course.

Sadly, the person who wrote the blog entry has no idea that what she thought is secure and private is neither. Because she does not give her email address anywhere, I cannot send her an email to alert her that if she’s really concerned for her safety as well as her privacy, she needs to secure her blog better. Or better yet, remove it from the web altogether.

In any event, here’s just a small bit of what the situation involved. I’ll assume that the facts are as she alleges:

1. She is a patient at Hospital A.
2. Hospital A grants all physicians a login that gives them access to all patients’ records, not just their own.
3. An employee of a physician who is not, and has never been, her physician has repeatedly accessed her hospital files numerous times over a multi-year period. The employee does so for the usual kind of personal reasons.

When the patient contacted the hospital, they reportedly denied all responsibility for the breach and pointed at the physician whose employee was inappropriately accessing the files.

The physician said that it was not his responsibility to protect the PHI of someone who isn’t his patient.

The medical licensing board won’t take a complaint against the physician because there is no doctor-patient relationship.

There’s a lot more, of course, but that’s the issue I wanted to address here.

Although the blogger focuses on the employee and physician, this is a matter that should be reported to HHS. The hospital has, in my opinion, clearly failed big time to control access to patient records. They have also failed to audit access logs. This is a failure on the hospital’s part.

While the patient may have some cause of action against the employee, someone needs to straighten the hospital out. if the allegations are true, their failure to take responsibility for this privacy breach is offensive, to say the least.

And no, I do not know the name of the hospital. I do wonder if they ever advised the patient that she had the right to file a complaint with HHS if she was not satisfied with their response. There’s no mention of that in her account of the breach.

No related posts.

Category: Health Data

Post navigation

← Ca: Tax documents dumped in back lane
AmeriCorps notifies participants and applicants of security breach →

1 thought on “Doubleheader: the dangers of blogging about private matters and passing the buck, Friday edition”

  1. Anonymous says:
    October 11, 2010 at 1:18 pm

    I can tell you what my facility would do.

    Rather than passing the buck off to the employer-physician, we would take the woman’s complaint. Then, we would run an audit of the accused’s accesses for the time frame and ask the office manager or physician to determine the reason for the accesses, in a fairly short period of time (we give them 14 days). If they couldn’t give us a valid business need for the access, we would convene a sanctions committee. Then, since we have no control over the accused’s continue employment, but we do have control over whether or not they have access to our system, we would terminate their access to the information. Whether or not they could remain employed without the access to do their job is an issue for the employer.

    We’ve done all this before, obviously.

    If the blogger has a copy of the Notice of Privacy Practices for the hospital, she has the complaint address for the facility and for HHS, since both are required elements in the NPP under the Privacy Rule. I’ve filed complaints with HHS on behalf of other people several times in the last 7 years, because I know what the law is and I expect everyone to abide by it. If we knew the name of the facility, I would have to at least consider filing one on her behalf.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.