2.1 HIPAA Scenarios

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

2 hours 7 minutes
Video Transcription
Hey, everyone, welcome back to the course. So in the last video, we just showed you a couple examples of ransom words. We just kind of talked through that a little bit. I want to give you some visualization of what that might look like. What Thought you actually haven't download ransomware yourself
in this video. We're gonna talk about just some different scenario. Case studies. Where does gonna talk through some things that actually happened to real life regarding HIPPA. And then in the next video were to go ahead and jump right into our lab with the S R. A tool. So the security risk assessment tool.
So as of the timing of this video, there was actually just a recent well, another data breach for Quest Diagnostics.
I mean, this was done through 1/3 party that they used the American Medical Collection Agency. That's where the actual editing bridge occurred, and roughly around 12 million people. And then when that number might go up. But roughly around 12 million people are affected,
and basically what happened is a lot of different data was stolen. So not just your protected health information, but also financial data thing. and also things like your Social Security number. So what that would allow someone to do, if you don't know, is steal your identity so they could go open different. You know, credit cards in your name that can open different medical accounts or have procedures done in your name.
So when you get all those data components together,
that's when it becomes a huge, huge problem,
so still kind of waiting for that one to fully unravel and see what kind of penalties, of course, the standard, you know, as many companies do when there's a breach like this, you get free credit monitoring,
but that doesn't really help you. You know, if somebody goes, opens this stuff in an open stuff, it just kind of helps you, you know, realize that somebody has opened stuff it doesn't actually prevent in anything is what I'm trying to get out. So, uh, that's got up to you. If you're a victim of this, it's got to you on what you wanna do again. Nothing in this course, this legal advice,
but it's kind of up to you and what you want to do. But that is something that is being offered, apparently, is
the free credit monitoring, I think for a couple of years or so.
So let's talk about some of these other ones. And I've obviously named these other ones, not the real thing, because I want to kind of keep it
somewhere private, you know, for the victims involved. So basically, what happened here with this phone messaging thing? And I've actually I've actually experienced people doing this in different organizations I've worked with.
So what happened is that an employee of a hospital didn't observe kind of the minimum necessary requirement.
Uh, so when when this person left a voice mail,
they're basically outlined, you know, the patient information, you know, details like the medical condition, the plan of treatment, like all these things that they shouldn't be doing right.
And then what they also do is they ignored the fact that the patient themselves said, Hey, call me on my work number with, you know, like my results and that sort of stuff, right?
So basically they left so much information on the voicemail that, you know it was violating hip talked about this. I mention the procedures, that sort of stuff. So
what happened here. Like what? You know what one was kind of punishment or whatever. Did they go to prison for life for anything that will know Here, Basically, the hospital instituted Cem there to create different policies to address the issue of just leaving the minimum necessary. You know, So, like a John Doe,
This is Suzie from Dr Smith's office. Please call me back at this number, right? That's basically what you should be leaving on a voice mail unless you have authorization from the patient on what else? You can leave.
And then as a result, you know, with the new policy and procedures, they went ahead and trained all employees to just, you know, leave the minimum information on ah, voicemail. Something I always did. And I just kind of did this. I guess by default actually didn't know about,
um this this component of it, how it related to Hippo. But I always just left the minimum. I always was just like the example I gave of. Hey, Mr Smith, this is you know you know John Doe,
you know, from doctor, you know William's office or whatever. Please call me back at this number. I didn't I never left like the doctor office type because that could actually give away information, you know? So like, if you were calling from a infectious disease doctor,
you know,
it's a sticky slope, right? Like obviously this legal thing. But it's also sticky slope for someone's personal life because, you know, maybe there are cheating on their spouse and they caught an STD and they're being treated for it. Their spots doesn't know, you know. It's just I was just found the best, like,
you know, basically like, Who am I calling for?
Who am I?
And here's a callback number. That's if you do it like that. You should be good to go again, not legal advice. But you should be good to go. Not in most instances.
So next we have what I call eating too much, huh? And we're not actually eating anything. Nobody ate anything here. But what happened is that a a, uh, insurance company basically sent the patient's entire medical record to a disability insurance company. So basically, H m O
sent the entire record to disability insurance company
without the patient's authorization.
So what was found is that Hey, this was not a valid developed sending because they didn't know Need to know all of the stuff in the patient's chart. So all that lead to is basically a new form for patients to fill out. Even if the patient brought in their own authorization authorization form,
patients still had just fill out this new form that would, you know, cover basically cover the entity
from this type of situation in the future.
Next up, we have famous skull. So again, a made up name there for this particular one. But what happened here with this patient is they got basically injured in some kind of sporting accident. It was It seems like it was some kind of like, you know, rare unusual type of injury.
And so what? The hospital data released the patient's X rays of their skull,
Um, to the local media, which obviously, why would you do that? But the the local newspaper ran it and ran it, You know, uh, ran a picture of this. They ran a story. This isn't the actual photo, but they ran a picture of the skull, the x ray. They also ran the story they also opposed to the date of the accident where the accident occurred. The patient's gender
description of medical condition.
So basically a lot of information that could be used to identify the patient of this situation.
So the hospital, that kind of their argument was like, Oh, no, we wanted to, you know,
help people out. We wanted Thio
talk about unusual sporting accidents and help other people from getting an injured, that sort of stuff. But what OCR found was that this actually didn't meet the privacy rules standards for that type of action. So the hospital, you know, didn't have any permission in their findings. And so they had to, you know,
um, do different corrective actions, you know? So, for example, the
how to develop an implement of policy regarding disclosures related thio serious threats that are threats to health and safety. So they basically had to come through and create new policies around that and then train their employees on it.
All right, So what next up, we have Don't take my money so earlier. I in this course I talked about basically under hip Ah, reasonable amount can be billed for making copies of your medical records. So the provider can deal you a reasonable amount. So the stories actually surrounding that. So what happened is that this? Uh
uh, you know, number one? The patient ever got the records released? They didn't until L C R got involved, but they didn't get it. Did not get access to their medical records on. Then what happened
after? After OCR basically notified the entity like a you need to send the records than the entity released the records of the patient, but building $100 for a what's what was called being called a records review fee, A swells, an administrative fee. So basically, they were building this patient for unnecessary things.
Ah, and so
lcr found that, you know, they were in violation. And so the entity went ahead and just refunded the money. But you see that, you know, again going back to my personal opinion that there's always somebody trying to get around things and and, you know, and kind of get you in life, so to speak.
So this was an example of that Worse, where an entity just was over building a patient and assumed that
the patient wouldn't be smart enough to figure that out and call them, you know, on what they were doing.
So next up we have we love computer. So what happened here is
basically an organization sent out what's called an explanation of benefits Oreo be they send it by mail to an unauthorized family member. And this happened to be actually a glitch in the computer system itself, which caused approximately 2000 families to be at risk of disclosure in violation of
the rule. And so what happened is number one.
The insurer was required to correct a flaw in his computer system and then also review all the transactions in a six month period of time. So possibly when they did an update to that system is my guess. But do review all the transactions in a six month period of time and then correct all any type of corrupted information and also notify the patients and their families as well
are. So next up, we have an interesting situation where what happened isn't a supervisor went ahead and access their employees medical records. Now we all know that, like your supervisor can can see your employment file in most cases, depending on your organization's policies, but they could see some chronic capacity of your employment record.
But in this situation the supervisor was looking at the employees actual health record and also went ahead and disclosed the information to other individuals.
So what happened again? You would think jail time like a Let's be strict on people. But actually what happened is just basically a slap on the wrist. So ah, notation was made in the supervisors file and they also had to go through corrective training as well. So some people might consider that punishment. In my opinion,
it should have been probably a little stricter because your supervisor should not be looking at your health records,
uh, to then, you know, share it with other people.
So in this video, we just kind of talked through some different example. So you could see some real life examples of how people are violating hippo, whether inadvertently, whether through technologies like example of the computer system malfunctioning there, and Aaron Hisley sending out the information to a family member of a patient,
we can also we also we're taking a look at to see Moises intent right,
and in that aspect of malicious intent or context. We were talking about the supervisor of this example right here where the supervisor went ahead and just look at their employees medical records without prior authorization.
So in the next video, we're gonna finally jump into our lab. I know. We've kind of, you know, been getting at least I've been getting death by Power point. So we're gonna jump into our hands on component now with the S R A tool again, the security risk assessment tool. So there's gonna be several videos in that overall lab, but we're eventually going to install the tool and then work through
completing the aspects of the tool and then finally
wrap up with taking a look at the reporting inside of the tool. And then we'll move into module three. We just wrap up the overall course itself.
Up Next