A reminder, if you needed one, that a data breach need not involve computers and an external bad actor. Staff training is just as important as firewalls and fancy software…:
[…] In Parker v. Carilion Clinic, Virginia’s highest court partially revived a lawsuit against a health care provider and its two employees for allegedly disclosing confidential patient information. In her complaint, the plaintiff, Lindsey Parker, alleged that Carilion Clinic and Carilion Healthcare Corporation (hereinafter “Carilion”) and two employees, Christy Davis and Lindsey Young, unlawfully disclosed Ms. Parker’s confidential medical information to an unauthorized acquaintance. Parker alleged that seven months after she was diagnosed with a medical condition at a Carilion-owned OB-GYN, she was awaiting treatment at a Carilion-owned family medicine clinic when she struck up a conversation with a male acquaintance. Davis, who also knew the man, witnessed the conversation in the waiting room and pulled up Parker’s medical file. After seeing the OB-GYN diagnosis in Parker’s file, Davis called Young, Davis’s friend and fellow Carilion employee. Davis relayed to Young information regarding Parker’s diagnosis and that Parker was conversing with the man whom they all knew. The plaintiff alleged that Young then disclosed Parker’s diagnosis to the man without Parker’s authorization. The man, in turn, told Parker about what he had heard.