should we report husband’s ex-wife to her boss?

Here’s another post from October 2009 to continue our Valentine’s Day theme.

A reader writes:

My husband’s ex-wife has been breaking into his email for the past year. They have been divorced for 2 years. She just can’t stay out of our lives!

Well, here is why I am asking you. She works as a managing editor for a publishing company that produces a Catholic health care magazine. My husband is a physician with all this patient information in his email. We have proof she has been doing this and we have proof she has only done it from her work computer. Should her boss know she might be getting information improperly? Actually, it’s called federal wire tapping act, and breaking HIPAA violations, which could be thousands of dollars in fines for her company.

Why doesn’t your husband change the password on his email? If for some reason that won’t solve the problem (and I don’t know why it wouldn’t), he should set up a new email account. These are much cleaner and more effective solutions. You’re looking for drama when there doesn’t need to be any.

Your issue isn’t really that there’s patient information in your husband’s email account, and come on, you know that. Your issue is that she’s violating his privacy, period, regardless of where she’s doing it from or what she’s finding. Don’t engage; just change the email password or change the account if necessary, and move on.

{ 58 comments… read them below }

  1. Job seeker*

    I agree with Alison it sounds like you are wanting drama. I think maybe just a tad of jealousy is making you behave like this. Your issue sounds more personal and there is probably a lot more to this. Take Alison’s suggestion and change the e-mail password or account. Problem solved.

  2. Brittany*

    I disagree with the advice here. Yes, the annoying part is definitely the privacy violation, but this woman is absolutely without a doubt breaking HIPAA by accessing an account with PHI (I work in healthcare and am fairly well versed in HIPAA). Agreements need to be in place for her to be privvy to ANY kind of patient data. If she is hacking into his email somehow (and it doesn’t seem to specify if it’s his personal or work email), password changes are not going to help. He needs to inform his IT department immediately if it’s work and also his immediate supervisor.

    The privacy issue is secondary to the privacy violation of patients. If the ex-wife is not looking for anything patient related, it’s still a violation that she is actively accessing it.

    1. Ask a Manager* Post author

      Yes, but isn’t it a violation on the husband’s side for making access possible? The ex-wife isn’t a medical professional and not subject to HIPAA.

      1. Brittany*

        Yes if the husband knows the violations are happening and is just shrugging his shoulders, it’s definitely a violation on his part. If he keeps changing his password and trying to thwart her, that’s where it gets dicey. HIPAA IS for healthcare providers and healthcare organizations to safeguard individual privacy and is not bound to people outside the industry, so the ex-wife might not necessarily be in trouble, but she sure would be if he brings it to the attention of his superiors and IT department and they have to keep warding off her attempts. Again, there isn’t enough detail to know. Either way, if the husband is self-practicing or part of an organization, it would be a huge issue/possible lawsuit if she were to obtain any PHI from his email, use it, and patients found out. It would be a PR nightmare.

      2. Anonymous*

        From my understanding, you’re right, Alison. Health care providers are the responsible party regardless of how the information leaked. It goes back to who originally captured the data.

        Private Health Information is something that should not be sent via email in plain text. That’s HIPAA common sense rule #1.

        Knowing your email password has been compromised and not changed is a violation of common sense rule #2.

        Knowing that your email is compromised and using it to send sensitive information seems like a violation of common sense rule #3.

        I’d add something about using two-phase authentication for anything important, but that’s more technical in nature and not a violation of any common sense rules. :)

      3. Kou*

        It is indeed. The ex-wife is not responsible for someone else’s PHI to be kept private– only the people whose job it is to use the PHI is responsible. And even if a leak is accidental (someone steals your phone with your work email on it, your email is hacked) you have to deal with it on your end. Husband’s employer will have the means to shut this down (they should have a ton of protocols in place for this exact scenario) and he needs to talk to them like yesterday. This is a MASSIVE oversight on his part.

    2. fposte*

      The ex-wife isn’t bound by HIPAA, because she’s not a health-care provider, insurer, etc. She therefore can’t be in breach of it and her company isn’t at any risk of fines. The person who will get nailed for HIPAA violations is the health-care professional who isn’t adequately safeguarding data–the OP’s husband.

      1. A Bug!*

        Yup! There’s fault on the ex-wife’s part for accessing information she knew she wasn’t entitled to access. But there’s no violation of HIPAA there on her part.

        Just like if I call up a hospital and ask for personal information I’m not entitled to, if the hospital gives it to me, they’re the one violating confidentiality, not me.

        I doubt any wire tapping laws come into effect here either (unless the “hacking” is more complicated than “You’re using a password I know or can guess”), but on that front I’d love to hear from someone with actual knowledge of those laws.

        1. fposte*

          It’s kind of interesting that the OP seemed to really, really want to get her predecessor in trouble and didn’t realize that she was really, really likely to get her husband in trouble.

          Of course, they may not even be married now–four years is a long time!

  3. tangoecho5*

    She’s been doing it a year? And only now is it such a big deal? Part of me thinks the OP & her husband love the drama of the whole situation as if they’re being screwed over by the big bad vengeful ex-wife. Otherwise, that password would have been changed immediately when the husband found out what happened rather than let it drag on.

    Lastly, I want to know exactly how the OP found out the ex was the one breaking into her husbands email and using her work computer to do so. Did the OP engage in some immoral or illegal activity herself to figure all this out? Funny how she’s all worried about patient confidentality when the ex might learn something but not so worried that she proactively acted to stop the access quickly.

    Rather than pretend she’s Nancy Drew, maybe the OP would be better served to move on and not be another high drama wife so AAM won’t hear in a few years from wife #3 complaining how wife #2 is reading her emails.

    1. VintageLydia*

      Well, it’s not illegal to trace IP addresses or any other footprints we leave on the internet. Alison can do it to any one of us if she cared to (and I used to all the time when I wrote a blog, more for the sake of curiosity than anything else.) The doctor definitely has a massive security hole (or his employer does depending on which email she’s hacking and how he connects to it) and should’ve been addressed the moment they noticed it happening, so he and the OP aren’t in the clear either. But it’s not illegal or unethical to dig up where the attacks are coming from. Network security people do it all the time.

      1. Ask a Manager* Post author

        Here’s something I’ve always wondered about: I know you can trace an IP address to get the general geographic location of the person. But to narrow it down further than that, don’t you need a subpoena from the ISP or something like that?

        1. K*

          Yeah; but often people get themselves into trouble because the IP from e-mails that are admittedly from them matches e-mails or anonymous posts that they deny making. It’s never certain; more than one person could be using a given computer, but it can provide pretty strong circumstantial evidence under the right set of circumstances.

          1. VintageLydia*

            Yup, it’s how I discovered one of my frequent commenters also posted anonymously to troll (he did this for about a day. I publicly called him out on it so he stopped and never commented again, though he still visited often.)
            I’m not sure how you’d figure it out from email hacking (whether it was actual hacking or using a password) but my friends who maintain networks talk about finding this stuff out often.

        2. Jamie*

          That’s my understanding which makes this complicated for the majority of people posting from consumer ISPs.

          If everyone had a private host and static IPs there would be a lot less anonymity online.

        3. Pandora Amora*

          No, you don’t need a subpoena to get more specific than a geographic region; given any IP address, you can find out:

          – the geographic region (“Minnesota”) via geo-ip lookup;
          – the ISP (“RoadRunner DSL”) who owns that IP block;
          – the actual outbound server from the ISP.

          Play with “tracert” for the last one (windows: windows-r, ‘cmd’, ‘tracert ‘); play with a domain lookup service for the second one.

          Once you know the ISP you can easily send an email to their abuse department informing them that whichever account was connected to your blog at such-and-such a time with such an IP, and give a sample of the harrassing comments you’ve been getting.

          The subpoena is required when you want to identify the end user on the keyboard, and the ISP hasn’t responded to your requests for assistance.

        4. RF*

          You can get frighteningly specific information from the IP, actually. It very much depends on who your service provider is and how they distribute IPs. So you might only be tracable back to a US state, or it might actually be able to see you are from a specific village with a population of 2,000, which narrows down who you are considerably.

      2. Elizabeth West*

        I need to learn about this so I can describe it in a novel without actually telling someone how to do it. My company’s security is AH MAZING. I should pick the IT department head’s brain. He seems to know more about hacking than anyone I’ve ever met.

    2. jesicka309*

      For all we know it could be as simple as one of the husbands patients blithely saying “I didn’t know I’d been signed up for this health magazine I started receiving, is that something this practice does automatically? I’d like to opt out.” That would definitely set the OP and her husband onto who had been taking the information, without needing to go all internet sleuth.

  4. The IT Manager*

    I would assume the term “breaking into his email” doesn’t actually mean she’s using a known password to log in. (If someone uses a key you gave them to get into your house is not breaking in.) That’s not breaking in. OTOH if they know this is happening they can make an effort to plug the security hole and stop the break ins.

    If she’s breaking into his account they want to report it they should go to the police and not her boss so, yeah, his whole question sounds off.

    1. fposte*

      I think that an IT person wouldn’t describe it as “breaking in,” but a peeved layperson might. I’m wondering if the ex simply had the husband’s passwords during the marriage and he never changed them (which would again put him in breach of HIPAA if he’s talking about patients on that email).

      1. The IT Manager*

        If all the husband needed to do was change his password to stop the “break-ins”, then he and the LW are dumb, inviting drama, and the husband is opening himself up to HIPPA violations for not taking steps to protect private information.

        Sadly we probably won’t be getting an update because I’d be curious for further information.

        1. fposte*

          I’m not completely convinced the version husband was telling current wife was what was actually happening, either. It’s always simpler to make the ex the complete villain than to own up.

        2. Kou*

          Absolutely. Protecting that information (at extreme cost, my hospital will completely wipe a device or an account if they think it’s being accessed by someone it shouldn’t) is entirely his responsibility. Even if she was legitimately hacking (which I doubt) him not reporting it to the proper people at his employer has opened him up to all the same hot water.

      2. Jamie*

        It may not even that she had the passwords but that he had the brilliant and original idea of using his birthday or kids’ names or whatever…because no one would guess those.

        I have nothing but contempt for this doctor not immediately acting to safeguard the privacy of his patients. Alert IT so they can lock this down. This is just callous disregard for his obligation to his patients.

        1. ITwannabe*

          Agreed. If they were savvy enough to know that the email was being accessed, they were savvy enough to know to change the password. On another note, I devoutly hope that the doctor wasn’t storing patient information on a personal email account. That is a whole different problem in and of itself.

    1. Elizabeth*

      Isn’t that kind of like “Don’t wrestle with a pig. You’ll only get dirty and the pig will like it”?

  5. Your Mileage May Vary*

    Because the OP mentioned that ex-wife works for a healthcare publishing company, do you think she’s taking information from these emails and using them in articles? Something like “Nancy (name changed) says her condition was undiagnosed for 13 years before doctors finally discovered what it was.” That’s the only reason (other than spite) that I can think of why they think it would be a good idea to let the employer know.

    Not that I think it’s a good idea. The onus here is on the husband to keep his account secure. I do not believe ex-wife is Silva (Javier Bardem in Skyfall), able to break into any computer willy-nilly and take what she wants. Husband is leaving it wide-open for her.

    1. some1*

      I wouldn’t imagine that a Managing Editor is actually writing a lot of articles, unless it’s a small operation.

  6. Esra*

    Did she ever update on how it went? I’m pretty curious as to why they didn’t just change the password.

    1. Ask a Manager* Post author

      Nope. One of the sad things about outrageous letters like this is that they’re great fun to respond to, but the writers tend not to weigh back in because they don’t want to wade into a group of people criticizing them.

      1. Esra*

        Ah that’s too bad. We’re usually pretty nice (by internet standards?) to the OPs who come to the comments.

        1. Ask a Manager* Post author

          I think we are too. But when you’re the one being told that you’re wrong (no matter how nicely), it can be pretty unpleasant for a lot of people, or at least make them defensive. And sometimes people do say things that they wouldn’t say to a person’s face if they knew them (“your reasoning is sounds dumb” or whatever). It can feel tame for the Internet, but still hard to hear if you’re the one being talked about.

          1. Esra*

            That’s very true. I’m glad there are some updates though. There are a few Captain Awkward entries I would kill to hear a follow-up on.

            1. TL*

              Yesterday someone who wrote into AAM and got published got a question published on Captain Awkward…
              Funny that today Captain Awkward gets referenced in AAM!

  7. kasey*

    Oh, wow. If OP and husband knew this was going on for the past year, that doesn’t speak highly of his regard of patient confidentiality. Change the password. Trace the IP, try to plug the hole. And if she persists take action with IT, then employer.
    But imagine that conversation, husband: “she’s been doing this for the past year!” employer or official: “so why I am just hearing about this now?” I sincerely hope my doctor would not wait this out “for the past year” just to see how this drama ends. You have really lost he moral high ground so to speak. I wonder if your husband might in in violation of HIPPA for turning a blind eye “for the past year” to this breach?

    1. Elizabeth*

      Given the most recent changes in the federal enforcement of HIPAA & HITECH (the health IT section of the ARRA) that were released a few weeks ago, Herr Doktor doesn’t really want his employer to find out that he knew it was going on and didn’t report it or make any effort to stop it for a year.

      The fines start accumulating when any “agent” of the covered entity are become aware or should reasonably become aware of the breach of protected health information. He knew or even suspected the ex was getting into his email? Yeah, he’s toast.

      Each day is considered a new violation. This would be considered willful neglect, because he knew about it and did nothing about it for 365 days (I’ll be kind and assume this hasn’t continued since they wrote in 2009), which is $10K – $50K per day per violation. Again, we’ll be kind, and say $3,650,000, assuming they don’t slap down the top end fine. Fortunately for Herr Doktor, they cap the fine at $1.5M per violation per year. But, that then assumes that they don’t start looking at criminal charges under the original law.

      And depending on what state Herr Doktor lives in and his patients live in, he could be required to make personal notification to his patients that their information was breached (California requires it if the patient lives there, so you aren’t safe from it even if you don’t). If he’s a fairly typical general medicine practitioner, he’s probably well above the 500 patient threshold for requiring media notification. So, you have to send out a press release to the local media, stating how & when the information was breached, along with what steps you are taking to assure that they don’t suffer harm because of your screw up.

      Yeah, there is no good outcome here for Herr Doktor. If he had changed his password & called his IT department as soon as he found out about it, he might have been okay. Now? Not a chance.

      1. ITwannabe*

        I would add Risk Management to that list of notifications as well. They would have taken steps to protect both him and the institution he is affiliated with. If he is affiliated with a hospital (and most doctors are on one level or another), that institution could be at risk, too. Bad, bad juju…..

  8. Rayner*

    I’d say that this doesn’t need to be reported to the boss, it needs to be taken to senior management/and possibly the police!

    Hacking email accounts is illegal, and the doctor husband could be leaving himself wide open to reports of breaching confidentiality if he’s knowingly not let senior people know and made every effort to prevent her – changing email accounts, his passwords, and letting his management know about it.

    He has a responsibility to the patients to protect their privacy, and failing to do so is horrible.

    If she’s getting in with an old password, more fool him, but it’s utterly absurd that this has been going on for so long when confidential patient notes and information could be found.

  9. JLL*

    Look- you don’t like the ex, and that’s fine.
    But keep it 100- you really would like to get her in trouble because she’s a pain in the ass to you.

    Relating it to her job is a stretch, and if your husband hasn’t changed his passwords (like, how hard is it to change it to something random?) even though he knows someone is accessing his account, IT might have more questions for HIM as opposed to any trouble she might get into. As many have said, change his password and keep it moving.

    And as a side note, this is not a problem “we” are having- regardless of her involvement, this is a professional problem, which means it’s a problem HE is having. You are not involved in this, and you shouldn’t be.

    Signed,

    A woman whose partner has an ex-wife

    1. some1*

      “And as a side note, this is not a problem “we” are having- regardless of her involvement, this is a professional problem, which means it’s a problem HE is having. You are not involved in this, and you shouldn’t be.”

      I noticed that, too, and the part where she won’t stay out of “our lives”.

  10. Lora*

    Lord have mercy. Having just gone through a dramatic and heartbreaking divorce, I agree w/ the folks who say this is drama-seeking.

    I also was accused of violating my husband’s HIPAA privacy by his lawyer *after* MY lawyer and the judge caught his silly girlfriend attempting to commit insurance fraud using my health insurance–he was, and is, still on my health insurance as part of our separation agreement, so I receive the statements from Blue Cross. The cards have both our names on them, she showed up at the obstetrician claiming to be me…except it says right on my medical records that I’m infertile. His lawyer’s complaint was that she/he should never have been caught because I wouldn’t know unless I was violating his medical privacy…by opening an envelope from Blue Cross which was addressed to me, and by replying to phone calls from Blue Cross questioning the legitimacy of the charges. It had to be explained to them that fraud protection is a legitimate activity and that health care fraud is the one thing that can ban you from getting health insurance in the US.

    TL;DR. I would also suspect there is something sketchy beyond hubby merely being password-challenged here. But that is just based on my experience, I know my ex had all sorts of horse pucky to say (not just about me, but about his own income/lifestyle/interests/health) to his girlfriend, and she was shocked, shocked! to find out that he had lied to her.

    1. some1*

      Yeah, it’s fishy to me that the husband would know his ex-wife is hacking into his email for a year and not do anything about it.

  11. annalee*

    Wow. I’m surprised at all the victim-blaming going on here.

    I don’t see anything in the original message that says that the doctor has known about the hacks for a year–only that they know it’s been happening for a year. They very well could have discovered the hacks recently.

    Also, federal law defines hacking pretty broadly. See, for example, this case, where a man was sentenced to 10 years in federal prison for breaking into email accounts belonging to famous women. His dastardly angle of attack? Correctly guessing their password hint questions. According to the linked article, he got off easy: the laws he violated carried a maximum sentence exceeding 12o years in prison.

    Or consider the story of Andrew Auernheimer, who was arrested for ‘hacking’ because he stumbled across an AT&T API that was publicly broadcasting ipad users’ email addresses to the entire internet. No password-guessing or any other attempts to get around their security. He just found something AT&T had accidentally left open to the public, and that was sufficient to complete the offense.

    So even if the ex-wife is doing nothing but guessing the password (heck, even if she knew the password because he forgot to change it, and they just now discovered she’s been using it) she’s still committing a federal crime. She’s intentionally accessing computer files she knows she doesn’t have permission to access, and that’s all it takes to be a ‘hacker’ under federal law.

    Personally, I think those laws are rather extreme. But if you were her boss, wouldn’t you want to be informed that an employee was using company resources to commit a felony? Especially a malicious one, like cyber-stalking an ex?

    Yes, one take-away from this story is that folks should use strong passwords, and change them periodically. But if someone chooses to access your email without your permission, then no matter how weak your password is, they’re still the ones in the wrong.

    1. Ask a Manager* Post author

      I don’t think anyone is arguing that the ex-wife is in the right. But the current wife’s take on this is missing the point, seems agenda-driven in itself, and seems designed to cause more drama than to simply solve the problem.

      1. annalee*

        I agree that the HIPAA thing is a gigantic red herring, and that the current wife is clearly angry and out for some payback. But if someone was hacking my email from a library, I’d tell the library, so they could prevent the person from misusing their resources. I don’t see how it’s any different to tell their employer under similar circumstances.

      2. Kou*

        Nail on the head right here. Annalee is right, theoretically, about the situation as a whole– but the solution to this problem is for husband to talk to his employer so they can plug the leak. The second he fails to do this (it has to be immediate) the issues shift from the leak to him not managing the leak very, very quickly. Which might sound crazy to someone outside healthcare– why would an individual be responsible when they’re victimized? –but that’s what the standards are for those of us that work with patient information.

        And if there is some reason to believe ex-wife’s employer should be brought in, that should be done by husband’s employer and not by husband and vigilante wife. Handling it the way the OP proposes is far from proper and close to personally vindictive in an entirely useless way.

  12. cncx*

    As a paralegal who changed careers to IT, I’m really confused: has this dude not changed his password in a year? Is this woman buddies with whoever handles AD? Has dude not changed his backup email or secret question in gmail/hotmail? Why does she still have access- is it poor computer literacy and password hygiene, like did he give her the password when they were married and has not bothered to change it? Does he use a stock password that is easy to guess? Or is she “hacking” the mail? If she is straight up hacking (going into AD or something) then ex gets all my rage. If dude isn’t being smart with his passwords, then him and the OP are not completely innocent here (besides the fact that OP sounds like an agenda troll).

    I don’t know a lot about US law, but in the countries where I worked in law, if the guy has not taken appropriate steps to secure his account (giving his password to people, leaving it on a postit, making it his birthday etc), this too could turn into a problem for him and his employer, for example if their infrastructure team in turn doesn’t have a good password policy (expiring passwords, requiring a level of complexity…) and management does not have rules about password sharing in the employee guidelines.

    My point is, there is a big difference morally and legally between two people not having good password practices, and an ex-wife social engineering or straight up hacking an account.

Comments are closed.