GooberMcNutly wrote:

As a data wrangler, this kind of stuff gives me the cold sweats. At the healthcare services company where I used to be employed a customer service manager accidentally sorted a spreadsheet incorrectly, aligning the emails with the wrong people, then a developer used that spreadsheet to send emails to about 10k patients. Of course it was the developer who got fired (the CSM just happened to be married to the daughter of the company director...) and the HIPAA notice that was generated immediately killed the sale of the company to an investment firm. The only "personal data" that was sent out incorrectly was the name of the patient and the name of the doctor they visited. But that was enough to kill the deal and 6 months later we were acquired by a rival and closed down to stifle competition on bids.

In this case nothing was released personally, just a dumb manager sending something out on the public wire. Dumb, but not really a "breach".

I worked on an EMR software package for Blue Cross and Blue Shield of South Carolina. We had yearly classes on things like why you can't tell your best friend that their spouse had a VD test.  Or why you can't even tell your spouse that they've been diagnosed with {fill in the dreadful disease of your choice}.  They tried to make it fun, after the training we had "Compliance Jeopardy" games, of all things.  This was mostly for the CSRs on the other side but IT did work with actual patient data, so we had to go too.

When the HIPAA requirements hammer came down, we had to record everybody in the system that viewed, edited, or printed patient information to a log table in the database.  Fortunately for us, this was built as 3 Tier so, instead of having to go to every fucking screen in the application to add the code, we could do everything in the middle tier on the application server, which narrowed it down to just a few objects.