Scenario 1

Gertrude, a home health nurse for New Horizons Hospital, accidentally left her encrypted laptop at the home of her client, Mr. Morgan. She noticed it was missing when she arrived at the next and last client of the day's residence. The laptop had access to information about all home health clients, including visit notes, medications, and demographic and payment information. She immediately rescheduled that appointment and backtracked to retrieve the laptop, but when she arrived at Mr. Morgan's home forty minutes after originally departing, no one was there. Then she remembered Mr. Morgan mentioned a doctor's appointment that afternoon. She called the home health office to request Mr. Morgan's cell phone number. When she reached him 10 minutes later, Mr. Morgan stated he had the laptop with him and would leave it with the receptionist at the podiatrist's office for her to pick up. Gertrude tried to ask where he was but he interrupted saying Judy just called him back to the exam room and he had to go, hanging up. Gertrude began calling every local podiatrist asking if someone named Judy worked there, hoping to establish where the laptop was. Finally, after 35 minutes of calling, she found the right office. She explained the situation to Judy, who said she had the laptop and Gertrude could come by anytime tomorrow to get it. The office was closing since it was 4:00 p.m. and no one was able to stay for her to come by that evening. When the office opened at 8:00 a.m. the next morning, Gertrude was there to retrieve the laptop. Unfortunately, the laptop was nowhere to be found. It was surmised that perhaps someone from the cleaning crew that worked the night before may have taken the laptop, as nothing else was missing from the office. Gertrude left to go report the theft to her manager.

1. Formulate a plan of action that the home health manager should initiate, detailing the steps.

2. Propose appropriate disciplinary action (if any) for Gertrude.

3. Construct a list of internal and external individuals who need to be notified of this theft and provide a rationale for their inclusion.

Scenario 2

Walnut Grove Hospital outsources some inpatient coding to Waldorf and Associates, with whom they have a business associate agreement. Eloise Apple is an independent coding consultant who works for Waldorf and Associates and is primarily responsible for coding the accounts from Walnut Grove Hospital. She has her own business associate agreement with Waldorf and Associates. Eloise's consulting business grew faster than she expected, so she subcontracted the work from Waldorf and Associates to Astor C. Elery but did not initiate a business associate agreement with her. Unfortunately, Astor was a victim of voice phishing (vishing) when, on April 2nd, she received what she thought was a legitimate call from the hospital's IT department wanting to verify her Page 2 log-in credentials after a virus was detected. The caller, who presented himself as an IT representative, stated he needed the information in order to validate that the virus had not originated from her computer. Once the caller had Astor's access information, he was able to enter the hospital information system at will. He used it to locate the account of a prominent individual within the community, which included details about her recent venereal disease diagnosis. Two days after the vishing incident, the woman received a blackmail letter and immediately reported it to the police. They began an investigation to determine who the blackmailer was and from where the information had been obtained. That led them to the hospital and her primary care physician. After the hospital's IT department performed analysis of their system, it was clear the information had come from them, and specifically under the log-in of Astor.

1. From the evidence above, did a breach truly occur? Support your position.

2. Consider the elements involved in this scenario and surmise which party is responsible for any notifications that must be made and support your position.

3. Based on the above information, will any notifications be necessary? Why or why not?

4. Present considerations for the hospitals IT system in the wake of this event. What types of system failures did this highlight in the hospital IT system?