Friday, September 18, 2009

Spyware causes HIPAA violation at Ohio Hospital

Man emails spyware to ex girlfriend's Yahoo account. What could go wrong?

The woman happens to work at a hospital. She opened it at a work computer, and the spyware happily emailed out billing and healthcare information for 65 patients. As other people used that computer, it also emailed out their email and financial information (presumably they looked at their online accounts from there)

CIO Magazine reports:
He allegedly sent the spyware to the woman's Yahoo e-mail address, hoping that it would give him a way to monitor what she was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery department, creating a regulatory nightmare for the hospital.

The complaint does not explain how Graham managed to convince the woman to install the program, but clever attackers often trick their victims into clicking on files by saying that they are interesting videos or some kind of useful software.

Between March 19 and March 28 the spyware sent more than 1,000 screen captures to Graham via e-mail.
 The hospital is also to blame. It is unclear if they provided any training to employees about not opening attachments from emails, but it is absolutely clear that they were not blocking 3rd party email access from work.

The article is also unclear about if the girlfriend is still employed at work or not.

2 comments:

hipaa said...

HIPAA had brought a new revolution in the healthcare sector and had made significant improvement especially in mishandling of vital healthcare information of individual patient, but still due to lack of proper HIPAA training, there are incidences of losing or disclosing the patient information from doctor, nurse or from any concern person. The HIPAA training will helps to better understand the implications of HIPAA legislation and identify critical compliance requirements. It helps to better understand HIPAA’s Administrative Simplification Act as well as how to create a framework for initiating and working towards a blueprint for HIPAA Privacy compliance and understand HIPAA Security Rules And Regulations. The HIPAA Training will give the healthcare organization, covered entities and business associated competency in designing, implementing, and administering comprehensive privacy protection programs in all types of healthcare organizations.

Online HIPAA Training said...

Due to lack of knowledge and proper HIPAA Training, many covered entity staff gets in such a situation of violating HIPAA security and privacy laws. The breaching of vital patient information happens, and this will happen as long as a proper HIPAA training is not provided to the concern person handling the patient information. It is having said that many of the hospital staff including the doctors are unaware about the HIPAA security and privacy law and accidentally breach out the vital patient information, and to avoid such incidence HIPAA Training is only one of the most important option. So if he or she is a doctor, nurse, MT or any concern person handling the patient information, he/she has to go through the HIPAA Training. Here is one of the website http://www.training-hipaa.net that can help healthcare organization, covered entities as well as individual seeking HIPAA Training.