Incident story · Insider data theft
The medical assistant gave proper notice. In her last two weeks, she copied everything.
The owner of a 12-provider orthopedic specialty clinic in the Southwest got the call eleven days after her medical assistant's last shift. A long-time patient was on the line, polite but confused — she had just visited a new orthopedic practice where the former MA now worked, and that practice already knew details about her treatment history. Three days later the practice realized the same MA had spent her last two weeks of employment quietly copying patient records, billing data, and internal physician notes to her personal cloud. Eighteen months later the practice had notified 4,200 patients, signed a corrective action plan with HHS-OCR, and absorbed a $1.8M settlement.
At a glance
The shape of the incident
What happened
60 days of notice, two weeks of quiet copying
The departure notice. A four-year medical assistant — a long-tenured employee with strong patient relationships — gave 60 days notice in early autumn. She cited a move closer to family. She offered to help train her replacement, which the practice appreciated. Nothing about her departure raised flags. Her access was not modified.
Weeks one through six. The MA worked her shifts. She trained the new hire. She covered for two providers during a conference week. She did not exfiltrate anything during this period.
Last two weeks. On her personal phone — a BYOD device she had used to access the practice's EHR mobile app since her first month — she pulled up patient lists for the providers she worked most closely with and used the app's export-to-share feature to send copies to her personal email. From her personal laptop, used on the practice Wi-Fi for the web version of the billing system, she downloaded billing exports and took screenshots of internal physician notes. Everything she touched sync'd to her personal Dropbox automatically.
The last shift. She returned her badge. She turned in her practice-issued workstation. Nobody asked about her personal phone or laptop. Her practice email was offboarded the same day. Her EHR account was disabled the following Monday. The practice had no record of what she had downloaded because the EHR vendor's audit log access required a support ticket they had never opened.
Eleven days later — the patient call. A patient called the practice manager to ask why the new orthopedic practice across town already had her treatment history. She had not authorized any release. The practice manager checked the EHR — no release was on file. She called the practice owner. The owner spent the rest of the day on the phone with breach counsel.
Days 11 to 22 — the investigation. Breach counsel engaged DFIR. The EHR vendor finally produced an audit log going back 90 days. The pattern was unmistakable: hundreds of chart views, dozens of patient list exports, and four billing downloads — all from the MA's account, all in her last two weeks. Subpoenaed cloud forensics later confirmed the destination: personal Dropbox synchronized to her home computer.
Day 22 — notification filed. The practice filed an HHS-OCR breach notification covering 4,200 individuals. State attorney general notifications followed in three states where patients resided. HHS-OCR opened an investigation that same week. HHS-OCR's first written question was: why did notification take eleven days after discovery.
Eighteen months later. The practice signed a $1.8M resolution agreement with HHS-OCR and a corrective action plan covering access controls, BYOD policy, departure procedures, audit log access, and an annual third-party compliance review. The MA faced separate civil action. The practice kept its license, kept most of its providers, and absorbed a 9 percent patient-attrition impact over the following year.
What it cost
The bill, itemized
HHS-OCR settlement
$1,800,000Resolution agreement covering inadequate access controls and delayed breach notification.
Breach investigation + forensic recovery
$250,000DFIR engagement, cloud forensics on personal accounts (compelled discovery), full scope determination.
Patient notification + credit monitoring
$185,0004,200 individuals — mailed notice, call center, two years of credit + identity monitoring.
Legal defense + breach coach + compliance counsel
$165,000HHS-OCR response, state attorney general notification (3 states), employment-side litigation.
Patient attrition + revenue impact (12 months)
$340,000Roughly 9% of active patients did not return for follow-up care after the notification letters.
Operational cost — corrective action plan
$120,000DLP rollout, BYOD policy rebuild, MA-and-PA access review, quarterly attestation to HHS-OCR.
Cyber insurance recovery
($915,000)Carrier covered defense costs and portion of settlement. Did not cover punitive component.
Net to the practice
~$1,945,000After insurance recovery. Two partners deferred draws for 11 months to absorb the impact.
What we did
EFROS-style response — what an engagement looks like
First call — evidence preservation. We do not call the former employee. We do not call her new employer. We preserve the EHR audit log, the billing system audit log, and every endpoint she used while she was an employee. Breach counsel drives the legal posture from minute one.
Days 1 to 5 — scope and notification readiness. We work backward from every patient chart she touched in her final two weeks. We classify what was viewed, what was exported, and what left the practice. The scope determines the notification list. We prepare a notification package that can be filed quickly — not eleven days later — and update it as the investigation refines the scope.
Week 2 — compelled discovery on personal cloud. Through counsel we pursue cloud forensics on the personal accounts where the data was sent. Where the former employee cooperates, we confirm deletion. Where she does not, we preserve options for civil recovery.
Weeks 3 to 8 — HHS-OCR response. We assemble the evidence package HHS-OCR expects: access logs, audit trail, breach risk assessment, corrective action proposal, training records, policies. We do not let the practice answer HHS-OCR free-form. Every response goes through counsel.
Months 2 to 6 — corrective action plan execution. We roll out DLP across endpoints, configure conditional access on EHR mobile, rebuild the departure procedure with a documented checklist tied to HR's exit process, and stand up quarterly access reviews for every clinical role.
Ongoing.The practice operates under quarterly attestation with HHS-OCR for the next three years. We provide the evidence package each quarter. The practice owner's job is to run the practice; our job is to produce the audit-ready evidence on her behalf.
What you should take from this
Five things to do this week
- 01
Insider data theft does not look like an attack. It looks like a tenured employee finishing her work. The medical assistant in this story had been there four years. She gave proper notice. She covered her shifts. Nobody was looking at what she was opening.
- 02
BYOD without device management means no visibility. The MA used her personal phone to access the practice EHR via a mobile app, and her personal laptop to access patient billing via the web. Both routes synced to her personal cloud. The practice had no DLP and no logs of what was downloaded.
- 03
The HIPAA breach notification clock starts on discovery, not on confirmation. The practice took eleven days to investigate before notifying — eleven days that HHS-OCR later questioned. The defensible position is to notify on discovery with what is known and update as the investigation progresses.
- 04
Departure access reviews are not optional. The day notice is given, every account, every device, every cloud share, every shared mailbox the employee had access to should be inventoried. Not revoked yet — inventoried. Revocation happens on the last day. Monitoring happens for the two weeks between.
- 05
The audit will find things unrelated to the original incident. In this case, HHS-OCR also examined the practice's AI-driven scheduling tool because of broader algorithmic-bias scrutiny on healthcare AI. The original incident was about insider access, but the corrective action plan ended up covering vendor AI governance as well.
The 60-second self-check
Three yes/no questions
If any answer is no — or any answer is "I think so" — you have the same exposure profile as the clinic in this story.
1. If a clinical or administrative employee gave notice today, would you have an inventory by tomorrow of every system, share, mailbox, and cloud account they can access?
Not a job description. An actual list of system identities tied to that human.
2. Do employees have practice data on personal devices, personal cloud accounts, or personal email — even occasionally — and would you know if they did?
If the answer involves the words 'they're not supposed to,' that is not a control.
3. If a patient called tomorrow and said another practice had their records, could you investigate without waiting on a vendor to provide log access?
Most practices cannot. The logs exist; the access to query them lives with someone else.
What this would cost you
Three private numbers, none of them require talking to a salesperson.
Related incident stories
Two more patterns owners ask about
CPA tax + advisory firm
AI data exposure — 31% of A-tier clients lost
An associate pasted client tax documents into consumer ChatGPT. Consumer-tier retains for training. Two weeks of SSNs and tax returns were in the pipeline before anyone noticed.
Regional law firm
Ransomware — 11 days down, $2.4M cost
Tuesday phishing email to the bookkeeper. Friday encryption. Eight days to find out what the backups actually contained.
Names, locations, and identifying details changed. Numbers represent typical ranges from EFROS engagements; specific cases vary. Nothing on this page is legal advice.