I get pretty excited whenever a new regulatory framework like HIPAA or SOX is enacted. Not only does it bring the potential to sit on a committee responsible for deciding the procedure needed to formulate a project request to initiate the creation of group responsible for determining the key players on a compliance assessment team, but it brings some pretty interesting stories of non-compliance like this anonymously submitted one ...

I worked on a web project for my company that tracks diagnosis and treatment information for drug addicts. Because this is medical information, it is subject to the many privacy regulations set out in the HIPAA legislation. This law mandates, among many other things, that you stand behind the line at the pharmacy (lest you get a glimse of the computer screen with the prescription information on it.) And ours is medical information about people who are seeking treatment for drug addition - double private!

My company maintains the web application and the servers it runs on, but the client kept requesting install files, documentation, and finally source code, ostensibly for "disaster recovery." We figured they were up to something, but we didn't know what.

So a coworker of mine gets an automated email from the site informing him of an error, which is a feature of course, and immediately begins to investigate. He quickly discovers that the email did not originate with any server we maintain. Where is this server? He opens Google and does a quick search. Bingo, our client has set up a training server on the sly.

On the public internet.

And the person responsible pre-filled the login and password fields, to make it easier to log into the site.

With the admin account information.

And used his own, real, address and university student email when configuring the account. My coworker recognized the address - he used to live in the same apartment complex.

Now for the good part. This training server needed a database, of course. Our client backed up the production database, and sent it to their el-cheepo student programmer to set up their new training server, presumably at a lower hourly rate.

My coworkers were amazed - a few clicks from Google, no typing, no guessing a password, they're looking at what is surely the grossest violation of the HIPAA regulations *ever*. Names, social security numbers, diagnosis and treatment information for drug addicts across the state.

You get what you pay for.

Update: Fixed typo in title (HIPPA --> HIPAA)