STORY #2: Data Grows Legs, Walks Right Out the Door

A large medical practice that we had just taken on as a client had IT security so bad it might as well have been non-existent. Very early in the engagement, a new office administrator called our support with a disaster of a situation: An unsecured access point was allowing anyone to access data on the practice’s private network. What this admin didn’t know – but what our asset inventory management tool determined – was that her area was supposed to have one more point-of-sale terminal than it had. This terminal (a Windows 7 PC) wasn’t in the building, but we were able to find it online with our RMM tools.

The situation bought up a number of concerns. As a medical practice dealing with patient data, the company was subject to HIPAA requirements that all electronic private health information (ePHI) be secured to meet with strict compliance guidelines. In this case, not only was data at risk of exposure through the unsecure access point, but the stolen POS terminal would also certainly contain sales invoices that included patient information on its hard drive. Both of these facts could represent potential data breaches that could gravely injure the company through government fines and a ruined reputation.

Our RMM tools were able to access the stolen laptop, and we actually watched remotely as a person logged onto it using his actual name. From there, we did a search for the person and even found his social media accounts, which told us his location, miles away but in the same state. This person was associated with – you guessed it – a former hire of our client who did contract work as an “IT professional.” His duties included walking right out the door with the equipment, and the company was so disorganized it may never have been noticed if it had not begun broadcasting access to its network. We used our tools to change the user’s password and shut it down, and from there the person likely needed to format the drive to get any further use out of that laptop. We would have used a tool to go in and delete specific ePHI files, but the client didn’t know what was on the computer or have a system for keeping track.

We had been quite aggressive in imploring the company to implement our IT security suggestions, but in the end it was clear it didn’t have the will to do what it should. Because HIPAA requirements and liabilities also apply to the IT security providers servicing medical practices, we ended our relationship soon after out of a lack of trust that the medical practice would be able to avoid future, similar issues.