The Security Scrutinizer with Howard Anderson

Outrageous Behavior on Facebook

It's Time to Get Angry About Privacy Violations, and Take Action

Don't assume the entire staff at your organization - or, for that matter, all your contractors - apply common sense when using Facebook. Odds are that at least some of them don't.

See Also: The External Attack Surface Is Growing and Represents a Consistent Vulnerability

This was recently illustrated by the news that a contract employee at a California hospital posted information about a patient on a Facebook page - just for laughs. The details of the incident are, well, outrageous. And hopefully they'll prove to be a strong reminder that workers need to be educated on how to protect privacy when using social media - and offered frequent reminders that they'll lose their job and face government penalties if they're guilty of a privacy violation.

A Bad Joke

The Los Angeles Daily News reports that an employee of a staffing agency who was working at Providence Holy Cross Medical Center in Mission Hills, Calif., decided to use Facebook to poke fun at a patient.

This 'jokester" displayed a photo of a medical record listing a patient's name and the date she was admitted and posted tasteless comments about her medical condition.

A few enlightened folks, however, took the step of commenting on the Facebook page about the inappropriateness of the post, pointing out it violates the privacy provisions of the Health Insurance Portability and Accountability Act.

But really, we don't need HIPAA to tell us what's right and wrong here. How can it ever be appropriate to post private medical details about someone on Facebook without their permission?

So what was the culprit's reaction to the protestors? Well, according to the newspaper, he added insult to injury, writing, "People, it's just Facebook. Not reality. Hello? Again ... it's just a name out of millions and millions of names. If some people can't appreciate my humor then tough. And if you don't like it, too bad, because it's my wall and I'll post what I want to."

Get Angry, Take Action

This makes my blood boil, how about you?

I hope this news gets you angry enough that you'll lead the charge at your organization - whether you work in healthcare or any other industry - to make sure your co-workers know the do's and don'ts of social media.

So, does your organization have a detailed social media policy in place? Have you educated the workforce about complying with the policy? Is your organization enforcing the policy with zero tolerance for violations? It's time to check.

When I asked Providence Holy Cross to comment on the incident and the steps the hospital plans to take, a spokesman sent me a statement saying it couldn't comment on specifics because the matter is under investigation.

The statement notes: "Providence ... guided by core values that include respect and dedicated to compliance with state and federal privacy laws, takes patient privacy very seriously and regularly trains employees on the importance of guarding patient records. We are investigating this report and if necessary will work with the staffing agency to ensure the individual is not allowed to work in the future in any Providence facility. We also will work with the agency to continue to provide training for contractors to comply with our patient privacy policies and our core values."

The spokesman who sent the statement declined to talk about the organization's social media policy - at least for now.

But even a great social media policy, supported by a top-notch education and awareness program, can't prevent those who are determined to express their "humor" at the expense of others. Demonstrating that such social media misbehavior will result in serious sanctions, however, can prove to be a powerful deterrent.

So here's what I hope will happen in this case. If the details of this incident are confirmed, the culprit should not only lose a job but also should get a tough penalty for violating HIPAA as well as any applicable state regulations.

I also hope other social media abusers get similar, well-publicized penalties. Unfortunately, it's the only way to get some folks to take privacy protection seriously.

In the meantime, privacy and security professionals have a moral obligation to make sure their organizations have a clear-cut social media policy that's well-understood by the workforce and that's well-enforced.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.