[openasocket]

It sounds like Patterson Dental deserves as much blame as the FBI, if not more, because it sounds like they were the ones pressing charges and motivating prosecution in the first place. Also, why aren't they being charged with what is almost certainly a HIPAA violation?

[blktiger]

If patterson dental (and I say if since we don't really know) is behind him getting arrested, I hope all their patients find out about the details of this and they go out of business. If nothing else they should be charged with HIPAA violations.

[jessaustin]

Patterson is not a dental clinic. Like Henry Schein which was also mentioned in TFA, it is a large dental supply company. One reason that dentistry is so expensive, is that assholes like these run an oligopoly of "specialty" dental supplies. It's not as bad as military procurement, but it's kind of like that. Dentists as a profession are risk-averse, and that includes the "risk" of purchasing dental equipment and supplies without a 300% price markup.

So, the chance of them going "out of business" is pretty slim. It's entirely possible that dentists unfortunate enough to have chosen Eaglesoft will get to pay some HIPAA fines, however.

[dragonwriter]

> So, the chance of them going "out of business" is pretty slim. It's entirely possible that dentists unfortunate enough to have chosen Eaglesoft will get to pay some HIPAA fines, however.

Will they? Since Eaglesoft claimed to provide encryption, and the practices relied on that claim, it seems unlikely that the practices are at fault; if they are subject to civil liability at all for inadvertent violations -- or even if they just have costs to cure the violations without money liability, which seems more likely given the history of HIPAA enforcement -- they would seem to have a claim for at least the total resulting costs in damages against Patterson.

As far as criminal violations of HIPAA goes, it doesn't seem particularly likely that any occurred, and if any did its pretty clear that the practices are (barring any evidence of knowledge that hasn't come to light) unlikely to have had the requisite knowledge or intent to be culpable, though the violations may have been willfully caused by Patterson's actions, which -- even though Patterson might not usually be directly covered by HIPAA as regards what appears to be on-premise software they sell -- might make Patterson a (and possibly the only) chargeable principal in any crime. 18 USC Sec. 2(b): "Whoever willfully causes an act to be done which if directly performed by him or another would be an offense against the United States, is punishable as a principal."

[coldcode]

HIPAA violations that are prosecuted are so rare they may as well not exist. I worked at a place that shared all the prod server/db passwords in a text file and they thought that was OK because they passed some half-ass audit. No one cared.

[dragonwriter]

> Also, why aren't they being charged with what is almost certainly a HIPAA violation?

Foremost among the many reasons, because investigation of HIPAA Privacy and Security violations is almost entirely (if not entirely) complaint-based rather than proactive, and probably no one filed a complaint to the HHS Office of Civil Rights.

Which I think should be the immediate and first act on discovering something like this with PHI, if for no other reason that doing so makes clearly applicable the whistleblower protections of 45 CFR 160.316.