This is the story of a successful lab company brought down by an employee using LimeWire file-sharing on her work computer. She unwittingly left open her documents folder containing patient information. Because LimeWire is a peer-to-peer network, the documents could be viewed by other users.
A company, which offers investigative services, found the file and sent what the lab company owner considered letters of extortion. The owner refused the service. Pretty soon the FTC was involved.
The owner won before the Administrative Law Judge, but lost his business. The decision is now on appeal and the investigative company is being investigated itself.
Healthcare providers should have policies in place against employees downloading non-work related things from the internet. You should have an ongoing process in place to detect any breaches of that policy in order to protect yourself against occurrences like this.
Be aware that the Federal Trade Commission is actively prosecuting breaches of information security “as a form of unfair and deceptive business practices.”