I'm the receptionist for a large non-profit agency - the agency provides mental and behavioral health services for kids, including
residential services. I went to my lunch break today, and when I got back, Jenna, the person who covered my lunch break showed me an email that had been sent
out to the entire campus (200+ people), apparently by a therapist named Lana. All it said was "I'm the best 
" Jenna said that one of our IT
guys had gone into a conference room where Lana had a meeting earlier, and found that she had never logged herself off the computer - so theoretically, anyone
could have walked in and used the computer and had access to sensitive information, although it's unlikely since there's always someone at the
reception desk watching over things. So, apparently, the guy from IT sent it to embarass her and show that anyone could have had access. Then, one of the
people in our records department sent this email, also to the whole campus:
"Thank you to whoever logged Lana off her computer following this email! I appreciate your watching out for the security of our network and the confidentiality of our information."
Then, a few minutes later, the same person sent this email:
" Okay, I'm getting a lot of questions about what this message trail is about, so rather than answer each person individually, but to address the semi-generalized confusion:
My understanding is that the standard "gag" when someone leaves the room and doesn't lock or log off the computer they were using (HIPAA concern), then the person who discovers they can access the computer sends this kind of braggy-type message anonymously, using the security/privacy-violater's email account. It's supposed to embarrass the person who forgot to log off the system and demonstrate the potential liability that happens when you leave a computer logged on and unattended for anyone to come along and use under another account.
" Jenna said that one of our IT
guys had gone into a conference room where Lana had a meeting earlier, and found that she had never logged herself off the computer - so theoretically, anyone
could have walked in and used the computer and had access to sensitive information, although it's unlikely since there's always someone at the
reception desk watching over things. So, apparently, the guy from IT sent it to embarass her and show that anyone could have had access. Then, one of the
people in our records department sent this email, also to the whole campus:
"Thank you to whoever logged Lana off her computer following this email! I appreciate your watching out for the security of our network and the confidentiality of our information."
Then, a few minutes later, the same person sent this email:
" Okay, I'm getting a lot of questions about what this message trail is about, so rather than answer each person individually, but to address the semi-generalized confusion:
My understanding is that the standard "gag" when someone leaves the room and doesn't lock or log off the computer they were using (HIPAA concern), then the person who discovers they can access the computer sends this kind of braggy-type message anonymously, using the security/privacy-violater's email account. It's supposed to embarrass the person who forgot to log off the system and demonstrate the potential liability that happens when you leave a computer logged on and unattended for anyone to come along and use under another account.
I did not send the original email, but as Privacy Officer, I wanted to remind/suggest, that the sender should have logged off the computer
after they sent the email and thus my "thank you" response."
So embarassing! I feel so bad for Lana. 
I've seen her walk through the hall a few times with her
head down and totally avoiding eye contact, she's super humiliated. I just don't think it was necessary to send it to the whole campus...
