• FreeAdvice has a new Terms of Service and Privacy Policy, effective May 25, 2018.
    By continuing to use this site, you are consenting to our Terms of Service and use of cookies.

IT related HIPAA violation?

Accident - Bankruptcy - Criminal Law / DUI - Business - Consumer - Employment - Family - Immigration - Real Estate - Tax - Traffic - Wills   Please click a topic or scroll down for more.

rubberduck

Junior Member
What is the name of your state?What is the name of your state? OH

OK - I work in Information Technology. During the course of diagnosing an Internet connection, I found that I was connecting to the local clinic's network.

I didn't poke around any, but just from what network information they were automatically giving me, I was "in" from a hacker's point of view. When I saw the domain name that I had been issued, I knew who to call to report this incident at the clinic. They "took care" of the problem to the best of my knowledge, as I no longer am getting their network info when I try to connect to the Internet.

Does this "hole" in their network defenses constitute a HIPAA violation? Who is the governing body? What can/should I do at this point to make sure their response is appropriate? I am also a client of that organization, so I'd like to have some outside opinion that they are taking privacy seriously.

I'd be glad to have other opinions here.
 


ellencee

Senior Member
rubberduck said:
What is the name of your state?What is the name of your state? OH

OK - I work in Information Technology. During the course of diagnosing an Internet connection, I found that I was connecting to the local clinic's network.

I didn't poke around any, but just from what network information they were automatically giving me, I was "in" from a hacker's point of view. When I saw the domain name that I had been issued, I knew who to call to report this incident at the clinic. They "took care" of the problem to the best of my knowledge, as I no longer am getting their network info when I try to connect to the Internet.

Does this "hole" in their network defenses constitute a HIPAA violation? Who is the governing body? What can/should I do at this point to make sure their response is appropriate? I am also a client of that organization, so I'd like to have some outside opinion that they are taking privacy seriously.

I'd be glad to have other opinions here.
Does the hole in their network defenses constitute a HIPAA violation? No; it does not. What can/should you do? Go back to your business/job. You have no right to even suggest that you should have some input as to whether or not their response is appropriate--like fixing the problem could be anything but an appropriate action.

EC
 

rubberduck

Junior Member
ellencee said:
like fixing the problem could be anything but an appropriate action.

EC
Fixing was definately appropriate in my book - no problem there. My concern is primarily: "Is my private information being safeguarded properly?"; secondarily, "Is other people's information being safeguarded properly?"; thirdly, "Did their management get any sort of a report so that their next auditors visit (if they are audited) can provide third-party verification that their 'fixing the problem' really fixed the problem?"
 

panzertanker

Senior Member
rubberduck said:
What is the name of your state?What is the name of your state? OH

OK - I work in Information Technology. During the course of diagnosing an Internet connection, I found that I was connecting to the local clinic's network.

I didn't poke around any, but just from what network information they were automatically giving me, I was "in" from a hacker's point of view. When I saw the domain name that I had been issued, I knew who to call to report this incident at the clinic. They "took care" of the problem to the best of my knowledge, as I no longer am getting their network info when I try to connect to the Internet.

Does this "hole" in their network defenses constitute a HIPAA violation? Who is the governing body? What can/should I do at this point to make sure their response is appropriate? I am also a client of that organization, so I'd like to have some outside opinion that they are taking privacy seriously.

I'd be glad to have other opinions here.
So you were:
In their building
Hooked to their T-line
Using their computer?

Clarify the circumstances...
 

rubberduck

Junior Member
panzertanker said:
So you were:
In their building
Hooked to their T-line
Using their computer?

Clarify the circumstances...
Was in our building, outside our firewall on an Internet connection provided by the same provider as their Internet connection, using our computer. They provided IP address via DHCP, as well as gateway, DNS servers, and WINS servers. Basically the clinic had bridged their LAN onto an ISP that is in common between us and them.

To further explain a bit, they claimed to see 40-50 other IP addresses that they had handed out, and weren't sure who had them. Once I had sufficient information to know what was going on and who to call, I did what was "right" according to our policy and notified them. Their fix of simply pulling the plug and patching the hole wouldn't allow them to identify the source of the other traffic, or sniff the traffic to attempt to determine what, if anything, malicious was being done on their network by the others to whom they had given IP addresses.

I can't see this issue as being any different than them leaving my medical records lying around in a public area. Granted, it was in electronic format instead of printed, but the net effect is that medical records were placed in an area where the public had access. If I were to walk into the doctor's office and my records were physically exposed, I would like to believe that I would have some recourse, at least the right to ensure that the incident were properly reported to management and addressed in a way that hopefully deters similar occurances in the future.
 
Last edited:

purple2

Member
I agree the situation you describe indicates a concern. However, you took appropriate action by reporting it. The facility then should take appropriate action by fixing the problem. That's the end of the story though. IMO there's no need to report this to an outside entity unless your employer is refusing to fix the problem.
 

Find the Right Lawyer for Your Legal Issue!

Fast, Free, and Confidential
data-ad-format="auto">
Top