Full Report
DataBreaches is not on TikTok and, being something of a dinosaur, never heard of “Josh and Jase” before. But no patient should have their privacy violated the ways Josh’s was. What happened to “break the glass?” What happened to all the software and auditing protections to prevent hospital employees from snooping on celebrity patients’ records?... Source
Analysis Summary
# Incident Report: Unauthorized Access to High-Profile Patient Records
## Executive Summary
A hospital in Michigan (identified as McLaren Northern Michigan) suffered an internal privacy breach involving the unauthorized access of medical records belonging to social media influencer Josh Clarke. Hospital employees bypassed privacy protocols to view personal information and physically harassed the patient for social media engagement. This incident highlights a failure in "Break the Glass" protocols and internal auditing for celebrity or high-profile patients.
## Incident Details
- **Discovery Date:** February 11, 2026 (Public disclosure)
- **Incident Date:** Circa early February 2026
- **Affected Organization:** McLaren Northern Michigan (Inferred via geolocation and media context)
- **Sector:** Healthcare
- **Geography:** Petoskey, Michigan, USA
## Timeline of Events
### Initial Access
- **Date/Time:** During the patient's emergency hospitalization (Early Feb 2026).
- **Vector:** Internal authorized credentials used for unauthorized purposes.
- **Details:** Hospital staff used their standard access privileges to search for and view the records of a high-profile patient without a clinical "need to know."
### Lateral Movement
- **N/A:** As this was an insider threat, the individuals already had access to the Electronic Health Record (EHR) system; movement was "horizontal" across different patient records rather than across the network.
### Data Exfiltration/Impact
- **Unauthorized Viewing:** Private medical history and personally identifiable information (PII) were accessed.
- **Physical Boundary Violation:** Staff members physically entered the patient's room while he was incapacitated/medicated to request selfies.
### Detection & Response
- **How it was discovered:** The hospital’s internal auditing or compliance systems (triggered post-incident) or a patient complaint led to the discovery of unauthorized views.
- **Response actions taken:** The hospital sent a formal breach notification letter to the victim and attempted to anonymize the patient's presence by removing his name from public notice boards (though this failed to prevent the leak).
## Attack Methodology
- **Initial Access:** Valid employee credentials.
- **Persistence:** Ongoing employment/authorized system access.
- **Privilege Escalation:** None required; abuse of existing legitimate access.
- **Defense Evasion:** Attempted to blend in with normal clinical workflow/charting.
- **Credential Access:** Not applicable (Insider threat).
- **Discovery:** Internal search of EHR databases for celebrity names.
- **Lateral Movement:** N/A.
- **Collection:** Manual viewing/reading of medical records.
- **Exfiltration:** Information was "leaked" via word-of-mouth among staff.
- **Impact:** Significant privacy violation and HIPAA non-compliance.
## Impact Assessment
- **Financial:** Potential HIPAA fines and legal liability from the victim.
- **Data Breach:** Exposure of sensitive medical data of a high-profile influencer.
- **Operational:** Disruption of care for the patient due to staff harassment.
- **Reputational:** High; negative viral press on TikTok and local news regarding the hospital's inability to protect patient privacy.
## Indicators of Compromise
- **Behavioral indicators:** Unusual volume of access requests for a single high-profile patient record by staff members not assigned to the patient’s care team.
- **Physical indicators:** Unscheduled/unauthorized staff visits to a specific hospital room.
## Response Actions
- **Containment measures:** Removing the patient's name from public-facing notice boards.
- **Eradication steps:** (Pending hospital confirmation) Likely disciplinary action or termination for involved staff.
- **Recovery actions:** Issuance of breach notification letters to affected individuals.
## Lessons Learned
- **System Failure:** The "Break the Glass" (extra authentication/justification for sensitive records) protocol was either not implemented or easily bypassed.
- **Cultural Failure:** Staff prioritized social media presence and celebrity over professional ethics and HIPAA legal requirements.
- **Detection Failure:** The hospital failed to prevent the curiosity-based "snooping" in real-time.
## Recommendations
- **Enhanced Auditing:** Implement real-time alerts for any access to patients flagged as "High Profile" or "VIP."
- **Restrictive Access:** Enforce "Break the Glass" features where a user must provide a specific clinical reason before opening a celebrity’s file.
- **Privacy Training:** Conduct targeted training on the legal and professional consequences of "snooping" on well-known patients.
- **Physical Security:** Increase nursing supervisor oversight in VIP areas to prevent unauthorized staff "visits."