Today a report discussed how a healthcare worker obtained medical information about a patient with HIV that was then posted on the Internet…
“Medical privacy violator gets 1 year”
“Attorney Michael Green represents the estate of the victim and said the Internet postings, on a MySpace page, were “vile, hurtful and disgusting.” He said he intends to file a civil suit against Wong-Fernandez, Straub and other defendants. The information about his client’s HIV-positive status was posted several times in late 2007 and early 2008, he said.””
The worker, Wong-Fernandez, was fired as soon as the hospital, Straub, discovered what she had done. But where were the controls to prevent something like this from happening in the first place?
The insider threat is very hard to defend against, which makes regular training and ongoing awareness, along with implementing sound safeguards, so important.
It seems like this would certainly be a HIPAA violation, and that the worker would be subject for the criminal penalties under HIPAA, but the news report didn’t even mention anything about HIPAA.
Tags: awareness and training, HIPAA, Information Security, insider threat, IT compliance, IT training, patient privacy, policies and procedures, privacy training, risk management, security training