A hospital employee took a simple picture in his/her Emergency Department workspace for a Facebook post. However, the picture also captured his/her computer screen and a patient's personal information.
This simple data breach and HIPAA violation unfortunately has already lead to the patient's identity being used by someone who now has her name, address and social security number. The patient describes this entire incident as a "nightmare", so my guess is that her patient satisfaction scores for the visit will reflect the fear and frustration she is experiencing.
This report initially ran in the local newspaper and, I'm guessing, has created a bit of a public relations mess for the University of Arizona Medical Center, as well.
So lets review the costs to the hospital:
1. HIPAA penalities
2. Potential state fines
3. Lawsuit: Defense costs and settlement/award
4. Damage to brand and recovery costs
5. Additional training costs and potential recruitment costs (to fill a possible vacancy if the employee is terminated)
6. Lower patient satisfaction score and reduction in reimbursement
Hummm, wonder if the employee feels this was all worth a picture that was ultimately removed from his/her Facebook page.