The best examples in life are of the 'real-world' variety. These days, I've been hunkered down in my bunker (also known as my dining room) writing sections for the upcoming State Bar of California book, "Growing and Managing a Law Office". This will also explain why I haven't been posting on the blog as often as I'd prefer.
A couple of days ago, I experienced a serious breach of privacy. Not my own, mind you, but someone else's! Specifically, I was emailed a copy of their surgical records. Why? Human error. The sender simply got the email address wrong.
The message contained a 'HIPAA' privacy notice, with contact information. Not wanting to create another electronic record by replying to the email, I picked up the phone and left a voice mail message that the person had sent the records in error and I was immediately destroying the original message. Apparently, they didn't check their voice mail, because a few minutes later, the same person emailed me the password to access the records. At that point, I figured I'd better reply to the message itself…
The sender – and the patient – were lucky in at least two respects:
- They sent the records to an eDiscovery attorney, and
- I wasn't the least bit interested in looking at them.
Fifteen years ago, when I was purely on the data side, people used to ask me how difficult it was to refrain from peeking at so much confidential information. My answer was the same then as it is today; curious people don't do well in our line of business. Now, you'll note, I didn't say 'inquisitive'. Obviously, there are times and events that will require a reasonable investigation – but this isn't one of them.
As I've oft repeated, a disaster or breach will not likely manifest itself in the manner you expect. In this case, it wouldn't have mattered if the sender's company employed the most cutting-edge security procedures available. In the end, the whole thing was thwarted by the 'send' key.
How do you think their security, technology and legal personnel would feel if they knew?