Savage_ivory

Yikes. All the more reason to report. If they play that loose with their patient info, do you think they are protecting your company's information? Here's hoping they don't have any employee info on you or your colleagues like SSNs, W-2's, etc.

I've witnessed that most breaches of personal medical info aren't by hackers but rather derp moments by doctors, nurses, etc to whom they are entrusted. Leaving a briefcase full of patient files on the subway. Not encrypting a personal laptop where you keep hospital databases on. HIPAA violations when they are caught are not too much money- an unnamed hospital was recently fined 1 mil when a doctor lost his laptop with patient info. But the subsequent "corrective plans" imposed on institutions after the derp cost many, many millions in new security, manpower, training, equipment, oversight....

It can become a genuine BFD when the hospital or institution receives federal money or grants. The government will pull the money if HIPAA rules are broken and you don't fix it fast. Labs can be shut down. Hell, whole hospitals can be closed. That aside, consider anonymously reporting the incident. You can do that and it may actually save your client's ass down the road.