Misdirected fax exposes 312 patient records to competitor's office
Your HIPAA scan flagged that fax-out workflow has no validation step. This scenario walks the §164.402 4-factor and §164.404 notification mechanics for a misdirected-PHI event.
Hand out attendee links — no screen sharing required
At drill kickoff you hand out two URLs so every attendee can follow + participate live from their own device, no Teams call needed:
- 1Spectator URL — read-only timer + current inject + delivery progress, refreshes every 3 seconds. For observers, security leadership, anyone watching but not participating. Works on a conference-room TV too.
- 2Participant URL — each attendee picks their role from your org-shape roster and submits their own written answer per inject. Submissions stream onto your facilitator screen in real time, role-tagged. When you Drop the inject, their answers are locked into the evidence record next to the team’s consensus response — full attribution preserved in the auditor ZIP.
Demo note: only the spectator URL is wired in the demo. The participant flow requires real auth and your tenant’s org-shape roster, so it doesn’t run client-side.
Scenario
On a Wednesday at 14:08 ET, a billing clerk at your organization fax-batches 312 patient encounter summaries to what they believe is the third-party billing service. The destination number was off by one digit; the fax actually landed at a competing healthcare practice's general office line. The competing practice's office manager calls your privacy officer 47 minutes later and politely asks 'Did you mean to send us 312 of someone's patient records?' The fax is paper-only at the receiving end (their MFP printed it).
Threat actor + attack chain
None. This is an unauthorized disclosure due to internal process failure, not a malicious actor. Most HIPAA breaches are this category.
- 1Cause: Fax destination was hand-keyed by a clerk; no second-person check, no fax-cover-sheet validation, no destination whitelist.
- 2Disclosure: 312 encounter summaries print at unrelated organization. Receiving organization's office manager picks them up from MFP.
- 3Notification (inbound): Receiving practice calls your privacy officer at 14:55 ET to flag the misdirection.
- 4Mitigation window: From 14:08 to 14:55, the fax pages were physically present at receiving organization. Multiple staff may have walked past the printer.
Timed injects
Each inject lists its scheduled trigger time. When the drill clock passes that time, the inject highlights amber as a hint — but YOU pace the drill: click Drop inject to mark it delivered (timestamp captured for the audit record), then capture the team’s response. The “Expected action” line is your facilitator-only debrief reference.
Privacy Officer: 'I just received the call from the receiving practice. Their office manager said the fax has been on their MFP since 14:08. She's asking what to do with it.' Privacy Officer needs to give an answer within 5 minutes.
Expected action (facilitator-only): Request receiving practice (a) immediately secure all pages, (b) document who saw the fax, (c) shred the originals upon written acknowledgment, (d) provide written certification of destruction. Document the request with timestamp.
Share the participant URL to invite team input. Submissions reveal here as they land.
Compliance lead pulls the chart of breaches in the rolling 12-month window. We had two prior misdirected-fax events of 8 records and 24 records. With this 312, we're at 344 — still under 500. Facilitator note (added in v1): if the team cannot answer within the inject window, the IR pre-built escalation tree applies — escalate to the named owner one tier above before the response runs over.
Expected action (facilitator-only): Discussion: §164.408 requires annual aggregate report by Mar 1 of the following year for breaches <500. Document calendar reminder. Note: even though under 500, individual notification under §164.404 still required.
Legal counsel walks the §164.402 4-factor in detail. Verdict: probability of compromise is *more than low* (paper sat on a shared MFP for 47 minutes; multiple staff likely walked past). This is a breach.
Expected action (facilitator-only): Decision documented with named decision-maker, timestamp, supporting analysis. Move to §164.404 notification mechanics.
Communications lead asks: 'How do we tell 312 patients? What's our notification template? Do we have one?' If you don't, what's the fastest legitimate way to draft and approve one?
Expected action (facilitator-only): Team identifies whether a template exists. If not, this becomes a top-priority remediation item — drafting under fire is bad. Discuss letter vs. email vs. phone for high-volume notification, individual rights to substitute notice if email bounces.
Practice manager: 'How do we make sure the next billing batch doesn't have the same problem?' Veri-Tech's HIPAA scan finding HIPAA-AS-002 is sitting open.
Expected action (facilitator-only): Team identifies remediation: (a) implement fax destination whitelist OR (b) move to encrypted email with portal link OR (c) switch to portal-based delivery. Document chosen path + owner + due date.
Wrap-up: rubric scoring + remediation list with owners + dates.
Expected action (facilitator-only): Top items typically: (1) implement fax workflow control, (2) draft + maintain notification template, (3) annual sanction review process, (4) re-train workforce on minimum-necessary.
Scoring rubric
0.00 / 5running average
Rate the team’s performance on each criterion (1 = poor, 5 = excellent). Notes are optional facilitator commentary.
§164.402 4-factor analysis quality
weight: 25Threshold reference
- 5:
- All 4 factors discussed with evidence, decision timestamped, decision-maker named
- 4:
- All 4 factors discussed, evidence partial
- 3:
- Some factors discussed, decision made
- 2:
- Decision made without explicit factor framing
- 1:
- No structured analysis
§164.404 notification timeline knowledge
weight: 20Threshold reference
- 5:
- 60-day rule recited, calendar set, owner named
- 4:
- 60-day rule recited, calendar set
- 3:
- 60-day rule recited, no concrete plan
- 2:
- Vague awareness
- 1:
- Rule not invoked
§164.408 annual aggregate awareness
weight: 10Threshold reference
- 5:
- Rolling 12mo count maintained + reviewed; March 1 reminder set
- 4:
- 12mo count maintained, reminder ad-hoc
- 3:
- Awareness exists, no system
- 2:
- Confused with §164.404
- 1:
- Section not invoked
Receiving-party containment
weight: 15Threshold reference
- 5:
- Receiving party gets request to secure + certify destruction; written acknowledgment captured
- 4:
- Containment requested; written confirmation pending
- 3:
- Verbal containment only
- 2:
- Inconsistent containment
- 1:
- Not addressed
Notification template readiness
weight: 10Threshold reference
- 5:
- Template exists, reviewed annually, ready to fill
- 4:
- Template exists but stale
- 3:
- Template exists for some scenarios only
- 2:
- Drafted ad-hoc
- 1:
- No template
Sanction policy invocation
weight: 10Threshold reference
- 5:
- Documented policy applied with workforce-fairness review
- 4:
- Policy applied informally
- 3:
- No policy but corrective action defined
- 2:
- Punitive without process
- 1:
- No response
Process remediation owner + date
weight: 10Threshold reference
- 5:
- All gaps assigned, due dates set, tracked in compliance system
- 4:
- Most gaps assigned
- 3:
- Gaps logged without owners
- 2:
- Gaps discussed only
- 1:
- No remediation list
Lock & save
Locking the session writes an immutable, SHA-256-checksummed evidence record into Veri-Vault. Once locked, this session cannot be edited — it becomes the auditor-grade record of the drill alongside the source bundle.
All criteria must be scored before lock — currently scored 0 of 7.