Ask a Manager

{ 58 comments… read them below }

1. Job seeker* February 14, 2013 at 1:54 pm

   I agree with Alison it sounds like you are wanting drama. I think maybe just a tad of jealousy is making you behave like this. Your issue sounds more personal and there is probably a lot more to this. Take Alison’s suggestion and change the e-mail password or account. Problem solved.
   1. Mike C.* February 14, 2013 at 4:41 pm

      I think you’re reading way too much into the situation.
2. Brittany* February 14, 2013 at 1:57 pm

   I disagree with the advice here. Yes, the annoying part is definitely the privacy violation, but this woman is absolutely without a doubt breaking HIPAA by accessing an account with PHI (I work in healthcare and am fairly well versed in HIPAA). Agreements need to be in place for her to be privvy to ANY kind of patient data. If she is hacking into his email somehow (and it doesn’t seem to specify if it’s his personal or work email), password changes are not going to help. He needs to inform his IT department immediately if it’s work and also his immediate supervisor.

   The privacy issue is secondary to the privacy violation of patients. If the ex-wife is not looking for anything patient related, it’s still a violation that she is actively accessing it.
   1. Ask a Manager* Post authorFebruary 14, 2013 at 2:00 pm

      Yes, but isn’t it a violation on the husband’s side for making access possible? The ex-wife isn’t a medical professional and not subject to HIPAA.
      1. Brittany* February 14, 2013 at 2:12 pm

         Yes if the husband knows the violations are happening and is just shrugging his shoulders, it’s definitely a violation on his part. If he keeps changing his password and trying to thwart her, that’s where it gets dicey. HIPAA IS for healthcare providers and healthcare organizations to safeguard individual privacy and is not bound to people outside the industry, so the ex-wife might not necessarily be in trouble, but she sure would be if he brings it to the attention of his superiors and IT department and they have to keep warding off her attempts. Again, there isn’t enough detail to know. Either way, if the husband is self-practicing or part of an organization, it would be a huge issue/possible lawsuit if she were to obtain any PHI from his email, use it, and patients found out. It would be a PR nightmare.
      2. Anonymous* February 14, 2013 at 4:23 pm

         From my understanding, you’re right, Alison. Health care providers are the responsible party regardless of how the information leaked. It goes back to who originally captured the data.

         Private Health Information is something that should not be sent via email in plain text. That’s HIPAA common sense rule #1.

         Knowing your email password has been compromised and not changed is a violation of common sense rule #2.

         Knowing that your email is compromised and using it to send sensitive information seems like a violation of common sense rule #3.

         I’d add something about using two-phase authentication for anything important, but that’s more technical in nature and not a violation of any common sense rules. :)
         1. ThatHRGirl* February 15, 2013 at 10:12 am

            +1
      3. Kou* February 14, 2013 at 5:22 pm

         It is indeed. The ex-wife is not responsible for someone else’s PHI to be kept private– only the people whose job it is to use the PHI is responsible. And even if a leak is accidental (someone steals your phone with your work email on it, your email is hacked) you have to deal with it on your end. Husband’s employer will have the means to shut this down (they should have a ton of protocols in place for this exact scenario) and he needs to talk to them like yesterday. This is a MASSIVE oversight on his part.
   2. fposte* February 14, 2013 at 2:01 pm

      The ex-wife isn’t bound by HIPAA, because she’s not a health-care provider, insurer, etc. She therefore can’t be in breach of it and her company isn’t at any risk of fines. The person who will get nailed for HIPAA violations is the health-care professional who isn’t adequately safeguarding data–the OP’s husband.
      1. A Bug!* February 14, 2013 at 2:48 pm

         Yup! There’s fault on the ex-wife’s part for accessing information she knew she wasn’t entitled to access. But there’s no violation of HIPAA there on her part.

         Just like if I call up a hospital and ask for personal information I’m not entitled to, if the hospital gives it to me, they’re the one violating confidentiality, not me.

         I doubt any wire tapping laws come into effect here either (unless the “hacking” is more complicated than “You’re using a password I know or can guess”), but on that front I’d love to hear from someone with actual knowledge of those laws.
      2. ITwannabe* February 14, 2013 at 3:36 pm

         That is my understanding as well (http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html). However, that doctor could be out a lot of money for not changing his password (http://www.onlinetech.com/compliant-hosting/hipaa-compliant-hosting/resources/what-is-a-hipaa-violation). So OP, please tell your husband to change his password. Now.
         1. fposte* February 14, 2013 at 4:19 pm

            It’s kind of interesting that the OP seemed to really, really want to get her predecessor in trouble and didn’t realize that she was really, really likely to get her husband in trouble.

            Of course, they may not even be married now–four years is a long time!
3. IronMaiden* February 14, 2013 at 1:59 pm

   I don’t suppose we’ll find out how this one ended up either. Sooo frustrating!
4. tangoecho5* February 14, 2013 at 2:02 pm

   She’s been doing it a year? And only now is it such a big deal? Part of me thinks the OP & her husband love the drama of the whole situation as if they’re being screwed over by the big bad vengeful ex-wife. Otherwise, that password would have been changed immediately when the husband found out what happened rather than let it drag on.

   Lastly, I want to know exactly how the OP found out the ex was the one breaking into her husbands email and using her work computer to do so. Did the OP engage in some immoral or illegal activity herself to figure all this out? Funny how she’s all worried about patient confidentality when the ex might learn something but not so worried that she proactively acted to stop the access quickly.

   Rather than pretend she’s Nancy Drew, maybe the OP would be better served to move on and not be another high drama wife so AAM won’t hear in a few years from wife #3 complaining how wife #2 is reading her emails.
   1. VintageLydia* February 14, 2013 at 2:23 pm

      Well, it’s not illegal to trace IP addresses or any other footprints we leave on the internet. Alison can do it to any one of us if she cared to (and I used to all the time when I wrote a blog, more for the sake of curiosity than anything else.) The doctor definitely has a massive security hole (or his employer does depending on which email she’s hacking and how he connects to it) and should’ve been addressed the moment they noticed it happening, so he and the OP aren’t in the clear either. But it’s not illegal or unethical to dig up where the attacks are coming from. Network security people do it all the time.
      1. Ask a Manager* Post authorFebruary 14, 2013 at 2:25 pm

         Here’s something I’ve always wondered about: I know you can trace an IP address to get the general geographic location of the person. But to narrow it down further than that, don’t you need a subpoena from the ISP or something like that?
         1. K* February 14, 2013 at 2:49 pm

            Yeah; but often people get themselves into trouble because the IP from e-mails that are admittedly from them matches e-mails or anonymous posts that they deny making. It’s never certain; more than one person could be using a given computer, but it can provide pretty strong circumstantial evidence under the right set of circumstances.
            1. VintageLydia* February 14, 2013 at 3:08 pm

               Yup, it’s how I discovered one of my frequent commenters also posted anonymously to troll (he did this for about a day. I publicly called him out on it so he stopped and never commented again, though he still visited often.)
               I’m not sure how you’d figure it out from email hacking (whether it was actual hacking or using a password) but my friends who maintain networks talk about finding this stuff out often.
         2. Jamie* February 14, 2013 at 3:09 pm

            That’s my understanding which makes this complicated for the majority of people posting from consumer ISPs.

            If everyone had a private host and static IPs there would be a lot less anonymity online.
         3. Pandora Amora* February 14, 2013 at 5:36 pm

            No, you don’t need a subpoena to get more specific than a geographic region; given any IP address, you can find out:

            – the geographic region (“Minnesota”) via geo-ip lookup;
            – the ISP (“RoadRunner DSL”) who owns that IP block;
            – the actual outbound server from the ISP.

            Play with “tracert” for the last one (windows: windows-r, ‘cmd’, ‘tracert ‘); play with a domain lookup service for the second one.

            Once you know the ISP you can easily send an email to their abuse department informing them that whichever account was connected to your blog at such-and-such a time with such an IP, and give a sample of the harrassing comments you’ve been getting.

            The subpoena is required when you want to identify the end user on the keyboard, and the ISP hasn’t responded to your requests for assistance.
         4. RF* February 15, 2013 at 2:18 am

            You can get frighteningly specific information from the IP, actually. It very much depends on who your service provider is and how they distribute IPs. So you might only be tracable back to a US state, or it might actually be able to see you are from a specific village with a population of 2,000, which narrows down who you are considerably.
      2. Elizabeth West* February 14, 2013 at 7:49 pm

         I need to learn about this so I can describe it in a novel without actually telling someone how to do it. My company’s security is AH MAZING. I should pick the IT department head’s brain. He seems to know more about hacking than anyone I’ve ever met.
   2. jesicka309* February 14, 2013 at 4:58 pm

      For all we know it could be as simple as one of the husbands patients blithely saying “I didn’t know I’d been signed up for this health magazine I started receiving, is that something this practice does automatically? I’d like to opt out.” That would definitely set the OP and her husband onto who had been taking the information, without needing to go all internet sleuth.
5. The IT Manager* February 14, 2013 at 2:11 pm

   I would assume the term “breaking into his email” doesn’t actually mean she’s using a known password to log in. (If someone uses a key you gave them to get into your house is not breaking in.) That’s not breaking in. OTOH if they know this is happening they can make an effort to plug the security hole and stop the break ins.

   If she’s breaking into his account they want to report it they should go to the police and not her boss so, yeah, his whole question sounds off.
   1. fposte* February 14, 2013 at 2:13 pm

      I think that an IT person wouldn’t describe it as “breaking in,” but a peeved layperson might. I’m wondering if the ex simply had the husband’s passwords during the marriage and he never changed them (which would again put him in breach of HIPAA if he’s talking about patients on that email).
      1. The IT Manager* February 14, 2013 at 2:19 pm

         If all the husband needed to do was change his password to stop the “break-ins”, then he and the LW are dumb, inviting drama, and the husband is opening himself up to HIPPA violations for not taking steps to protect private information.

         Sadly we probably won’t be getting an update because I’d be curious for further information.
         1. fposte* February 14, 2013 at 2:58 pm

            I’m not completely convinced the version husband was telling current wife was what was actually happening, either. It’s always simpler to make the ex the complete villain than to own up.
         2. Kou* February 14, 2013 at 5:25 pm

            Absolutely. Protecting that information (at extreme cost, my hospital will completely wipe a device or an account if they think it’s being accessed by someone it shouldn’t) is entirely his responsibility. Even if she was legitimately hacking (which I doubt) him not reporting it to the proper people at his employer has opened him up to all the same hot water.
      2. Jamie* February 14, 2013 at 3:12 pm

         It may not even that she had the passwords but that he had the brilliant and original idea of using his birthday or kids’ names or whatever…because no one would guess those.

         I have nothing but contempt for this doctor not immediately acting to safeguard the privacy of his patients. Alert IT so they can lock this down. This is just callous disregard for his obligation to his patients.
         1. ITwannabe* February 14, 2013 at 3:46 pm

            Agreed. If they were savvy enough to know that the email was being accessed, they were savvy enough to know to change the password. On another note, I devoutly hope that the doctor wasn’t storing patient information on a personal email account. That is a whole different problem in and of itself.
6. some1* February 14, 2013 at 2:12 pm

   Don’t get into a pissing contest with a skunk.
   1. AdAgencyChick* February 14, 2013 at 2:38 pm

      HA! I’ve never heard that expression before, but it is AWESOME.
   2. Malissa* February 14, 2013 at 2:48 pm

      I am stealing this!
   3. Elizabeth* February 14, 2013 at 3:52 pm

      Isn’t that kind of like “Don’t wrestle with a pig. You’ll only get dirty and the pig will like it”?
7. John* February 14, 2013 at 2:22 pm

   Technologically challenged.
8. Your Mileage May Vary* February 14, 2013 at 2:24 pm

   Because the OP mentioned that ex-wife works for a healthcare publishing company, do you think she’s taking information from these emails and using them in articles? Something like “Nancy (name changed) says her condition was undiagnosed for 13 years before doctors finally discovered what it was.” That’s the only reason (other than spite) that I can think of why they think it would be a good idea to let the employer know.

   Not that I think it’s a good idea. The onus here is on the husband to keep his account secure. I do not believe ex-wife is Silva (Javier Bardem in Skyfall), able to break into any computer willy-nilly and take what she wants. Husband is leaving it wide-open for her.
   1. some1* February 14, 2013 at 2:54 pm

      I wouldn’t imagine that a Managing Editor is actually writing a lot of articles, unless it’s a small operation.
9. Esra* February 14, 2013 at 2:34 pm

   Did she ever update on how it went? I’m pretty curious as to why they didn’t just change the password.
   1. Ask a Manager* Post authorFebruary 14, 2013 at 2:38 pm

      Nope. One of the sad things about outrageous letters like this is that they’re great fun to respond to, but the writers tend not to weigh back in because they don’t want to wade into a group of people criticizing them.
      1. kasey* February 14, 2013 at 2:46 pm

         …maybe this can shine a bit of perspective on the situation. :)
      2. Esra* February 14, 2013 at 3:02 pm

         Ah that’s too bad. We’re usually pretty nice (by internet standards?) to the OPs who come to the comments.
         1. Ask a Manager* Post authorFebruary 14, 2013 at 3:10 pm

            I think we are too. But when you’re the one being told that you’re wrong (no matter how nicely), it can be pretty unpleasant for a lot of people, or at least make them defensive. And sometimes people do say things that they wouldn’t say to a person’s face if they knew them (“your reasoning is sounds dumb” or whatever). It can feel tame for the Internet, but still hard to hear if you’re the one being talked about.
            1. Esra* February 14, 2013 at 3:16 pm

               That’s very true. I’m glad there are some updates though. There are a few Captain Awkward entries I would kill to hear a follow-up on.
               1. TL* February 14, 2013 at 4:54 pm

                  Yesterday someone who wrote into AAM and got published got a question published on Captain Awkward…
                  Funny that today Captain Awkward gets referenced in AAM!
10. kasey* February 14, 2013 at 2:42 pm

    Oh, wow. If OP and husband knew this was going on for the past year, that doesn’t speak highly of his regard of patient confidentiality. Change the password. Trace the IP, try to plug the hole. And if she persists take action with IT, then employer.
    But imagine that conversation, husband: “she’s been doing this for the past year!” employer or official: “so why I am just hearing about this now?” I sincerely hope my doctor would not wait this out “for the past year” just to see how this drama ends. You have really lost he moral high ground so to speak. I wonder if your husband might in in violation of HIPPA for turning a blind eye “for the past year” to this breach?
    1. Elizabeth* February 14, 2013 at 3:37 pm

       Given the most recent changes in the federal enforcement of HIPAA & HITECH (the health IT section of the ARRA) that were released a few weeks ago, Herr Doktor doesn’t really want his employer to find out that he knew it was going on and didn’t report it or make any effort to stop it for a year.

       The fines start accumulating when any “agent” of the covered entity are become aware or should reasonably become aware of the breach of protected health information. He knew or even suspected the ex was getting into his email? Yeah, he’s toast.

       Each day is considered a new violation. This would be considered willful neglect, because he knew about it and did nothing about it for 365 days (I’ll be kind and assume this hasn’t continued since they wrote in 2009), which is $10K – $50K per day per violation. Again, we’ll be kind, and say $3,650,000, assuming they don’t slap down the top end fine. Fortunately for Herr Doktor, they cap the fine at $1.5M per violation per year. But, that then assumes that they don’t start looking at criminal charges under the original law.

       And depending on what state Herr Doktor lives in and his patients live in, he could be required to make personal notification to his patients that their information was breached (California requires it if the patient lives there, so you aren’t safe from it even if you don’t). If he’s a fairly typical general medicine practitioner, he’s probably well above the 500 patient threshold for requiring media notification. So, you have to send out a press release to the local media, stating how & when the information was breached, along with what steps you are taking to assure that they don’t suffer harm because of your screw up.

       Yeah, there is no good outcome here for Herr Doktor. If he had changed his password & called his IT department as soon as he found out about it, he might have been okay. Now? Not a chance.
       1. ITwannabe* February 14, 2013 at 4:25 pm

          I would add Risk Management to that list of notifications as well. They would have taken steps to protect both him and the institution he is affiliated with. If he is affiliated with a hospital (and most doctors are on one level or another), that institution could be at risk, too. Bad, bad juju…..
11. Rayner* February 14, 2013 at 3:08 pm

    I’d say that this doesn’t need to be reported to the boss, it needs to be taken to senior management/and possibly the police!

    Hacking email accounts is illegal, and the doctor husband could be leaving himself wide open to reports of breaching confidentiality if he’s knowingly not let senior people know and made every effort to prevent her – changing email accounts, his passwords, and letting his management know about it.

    He has a responsibility to the patients to protect their privacy, and failing to do so is horrible.

    If she’s getting in with an old password, more fool him, but it’s utterly absurd that this has been going on for so long when confidential patient notes and information could be found.
12. JLL* February 14, 2013 at 3:13 pm

    Look- you don’t like the ex, and that’s fine.
    But keep it 100- you really would like to get her in trouble because she’s a pain in the ass to you.

    Relating it to her job is a stretch, and if your husband hasn’t changed his passwords (like, how hard is it to change it to something random?) even though he knows someone is accessing his account, IT might have more questions for HIM as opposed to any trouble she might get into. As many have said, change his password and keep it moving.

    And as a side note, this is not a problem “we” are having- regardless of her involvement, this is a professional problem, which means it’s a problem HE is having. You are not involved in this, and you shouldn’t be.

    Signed,

    A woman whose partner has an ex-wife
    1. some1* February 14, 2013 at 3:31 pm

       “And as a side note, this is not a problem “we” are having- regardless of her involvement, this is a professional problem, which means it’s a problem HE is having. You are not involved in this, and you shouldn’t be.”

       I noticed that, too, and the part where she won’t stay out of “our lives”.
13. OldSoul* February 14, 2013 at 3:20 pm

    http://strongpasswordgenerator.com/

    ^This and Allison’s advice will help you, your husband, and the marriage.
14. Lora* February 14, 2013 at 3:24 pm

    Lord have mercy. Having just gone through a dramatic and heartbreaking divorce, I agree w/ the folks who say this is drama-seeking.

    I also was accused of violating my husband’s HIPAA privacy by his lawyer *after* MY lawyer and the judge caught his silly girlfriend attempting to commit insurance fraud using my health insurance–he was, and is, still on my health insurance as part of our separation agreement, so I receive the statements from Blue Cross. The cards have both our names on them, she showed up at the obstetrician claiming to be me…except it says right on my medical records that I’m infertile. His lawyer’s complaint was that she/he should never have been caught because I wouldn’t know unless I was violating his medical privacy…by opening an envelope from Blue Cross which was addressed to me, and by replying to phone calls from Blue Cross questioning the legitimacy of the charges. It had to be explained to them that fraud protection is a legitimate activity and that health care fraud is the one thing that can ban you from getting health insurance in the US.

    TL;DR. I would also suspect there is something sketchy beyond hubby merely being password-challenged here. But that is just based on my experience, I know my ex had all sorts of horse pucky to say (not just about me, but about his own income/lifestyle/interests/health) to his girlfriend, and she was shocked, shocked! to find out that he had lied to her.
    1. some1* February 14, 2013 at 3:34 pm

       Yeah, it’s fishy to me that the husband would know his ex-wife is hacking into his email for a year and not do anything about it.
15. annalee* February 14, 2013 at 4:57 pm

    Wow. I’m surprised at all the victim-blaming going on here.

    I don’t see anything in the original message that says that the doctor has known about the hacks for a year–only that they know it’s been happening for a year. They very well could have discovered the hacks recently.

    Also, federal law defines hacking pretty broadly. See, for example, this case, where a man was sentenced to 10 years in federal prison for breaking into email accounts belonging to famous women. His dastardly angle of attack? Correctly guessing their password hint questions. According to the linked article, he got off easy: the laws he violated carried a maximum sentence exceeding 12o years in prison.

    Or consider the story of Andrew Auernheimer, who was arrested for ‘hacking’ because he stumbled across an AT&T API that was publicly broadcasting ipad users’ email addresses to the entire internet. No password-guessing or any other attempts to get around their security. He just found something AT&T had accidentally left open to the public, and that was sufficient to complete the offense.

    So even if the ex-wife is doing nothing but guessing the password (heck, even if she knew the password because he forgot to change it, and they just now discovered she’s been using it) she’s still committing a federal crime. She’s intentionally accessing computer files she knows she doesn’t have permission to access, and that’s all it takes to be a ‘hacker’ under federal law.

    Personally, I think those laws are rather extreme. But if you were her boss, wouldn’t you want to be informed that an employee was using company resources to commit a felony? Especially a malicious one, like cyber-stalking an ex?

    Yes, one take-away from this story is that folks should use strong passwords, and change them periodically. But if someone chooses to access your email without your permission, then no matter how weak your password is, they’re still the ones in the wrong.
    1. Ask a Manager* Post authorFebruary 14, 2013 at 5:04 pm

       I don’t think anyone is arguing that the ex-wife is in the right. But the current wife’s take on this is missing the point, seems agenda-driven in itself, and seems designed to cause more drama than to simply solve the problem.
       1. annalee* February 14, 2013 at 5:19 pm

          I agree that the HIPAA thing is a gigantic red herring, and that the current wife is clearly angry and out for some payback. But if someone was hacking my email from a library, I’d tell the library, so they could prevent the person from misusing their resources. I don’t see how it’s any different to tell their employer under similar circumstances.
       2. Kou* February 14, 2013 at 5:35 pm

          Nail on the head right here. Annalee is right, theoretically, about the situation as a whole– but the solution to this problem is for husband to talk to his employer so they can plug the leak. The second he fails to do this (it has to be immediate) the issues shift from the leak to him not managing the leak very, very quickly. Which might sound crazy to someone outside healthcare– why would an individual be responsible when they’re victimized? –but that’s what the standards are for those of us that work with patient information.

          And if there is some reason to believe ex-wife’s employer should be brought in, that should be done by husband’s employer and not by husband and vigilante wife. Handling it the way the OP proposes is far from proper and close to personally vindictive in an entirely useless way.
16. cncx* February 16, 2013 at 11:10 am

    As a paralegal who changed careers to IT, I’m really confused: has this dude not changed his password in a year? Is this woman buddies with whoever handles AD? Has dude not changed his backup email or secret question in gmail/hotmail? Why does she still have access- is it poor computer literacy and password hygiene, like did he give her the password when they were married and has not bothered to change it? Does he use a stock password that is easy to guess? Or is she “hacking” the mail? If she is straight up hacking (going into AD or something) then ex gets all my rage. If dude isn’t being smart with his passwords, then him and the OP are not completely innocent here (besides the fact that OP sounds like an agenda troll).

    I don’t know a lot about US law, but in the countries where I worked in law, if the guy has not taken appropriate steps to secure his account (giving his password to people, leaving it on a postit, making it his birthday etc), this too could turn into a problem for him and his employer, for example if their infrastructure team in turn doesn’t have a good password policy (expiring passwords, requiring a level of complexity…) and management does not have rules about password sharing in the employee guidelines.

    My point is, there is a big difference morally and legally between two people not having good password practices, and an ex-wife social engineering or straight up hacking an account.

Comments are closed.