And while this story concerns a direct provider of health services and not a law firm, and is an example of (alleged) extreme malfeasance, it does highlight the risks and implications of making Protected Health Information (PHI) generally available to firm personnel and staff, particularly when enforcers put things under a microscope.
Worth noting, as material to the fact pattern are allegations of failing to implement security controls and monitoring – both explicitly required by the 2013 HIPAA Omnibus Rule. For more the complete story, see: "Health Data Theft Case Prompts Lawsuit - Suit Alleges Adventist Health Failed to Protect Information" --
- "The class action lawsuit, filed April 9 in the U.S. District Court in Orlando, Fla., alleges that 'Florida Hospital breached its statutory obligation and express promise by maintaining its patients' sensitive information in an electronic database that lacked crucial - and statutorily required - security measures and protocols, in addition to failing to adequately train and monitor its employees access to sensitive information.'"
- "The lawsuit alleges that Florida Hospital employees were "able to easily gain access to the sensitive information of thousands of patients across 22 campuses using nothing more than employer provided log-in credentials, even though they were not authorized to access such information."