Blog
Facepalm Files: Thanks for the help. Please never do that again.
Authors (1)
Rob Sebaugh
Identity Strategist, Healthcare Solutions Engineering
SailPoint
Welcome back to the Facepalm Files! In this installment, Identity Strategist Rob Sebaugh shares his real-world encounter with a compliance violation risk at the doctor's office. Catch up on part 1.
The setup
My daughter turned 18 recently, officially aging out of pediatric care. As part of her "welcome to adulthood" experience, she needed to establish care with a new primary care physician. Due to doctor availability, she not only switched doctors but moved to an entirely different healthcare system. I tagged along to her first appointment—not to hover, but to help her get through the mountain of new patient paperwork and slowly back away into the parental sunset.
While she filled out forms authorizing the clinic to retrieve her records from the old health system, I had my cybersecurity hat mostly off and my dad hat on. Just another mundane administrative task, right?
That changed quickly.
The facepalm moment
Once all the paperwork was signed, including the form allowing the new clinic to pull her prior records, we handed everything to the nurse. She thumbed through the stack and paused at the authorization form. Her eyes lit up.
“Oh! I used to work as a travel nurse at [Enter Old Health System Here]. I still have a login! I’ll just go grab her records right now.”
Cue the needle scratch.
My dad instincts froze, but my cybersecurity brain slammed back online. Every red flag I’ve ever seen in an audit started waving at once. “I’m sorry, what?” I asked, hoping I had misheard her.
She smiled warmly. “Yeah, I left there about a year ago. But my access still works. Saves us some time!”
I gave a very tight-lipped nod as my mind raced. In her view, she was just being helpful and cutting through red tape. In mine, she was about to commit a serious compliance violation using credentials she should not still have. The bigger issue? Her access hadn’t been revoked a year after leaving.
That’s not just a facepalm. That’s a compliance cannonball into a flaming dumpster.
What I did next
I didn’t want to throw a wrench into my daughter’s first adult check-up, so I gently redirected the nurse back to the approved process: “Actually, why don’t we let the official records request run its course.” She nodded and moved on, seemingly unbothered.
Later that evening, I had to sit down and unpack what just happened. In a casual 30-second exchange, I witnessed firsthand how easily someone with no malicious intent could unknowingly breach policy, patient trust, and federal compliance, all because basic identity lifecycle hygiene wasn’t followed.
I didn’t call out the old health system by name, but I absolutely flagged this incident (anonymously) in my professional circles. It was a perfect example of why our work in identity security matters.
The lesson
Here’s the thing: the nurse wasn’t a hacker, insider threat, or disgruntled employee. She was trying to help. But that’s exactly the risk.
When offboarding processes fail—especially for third parties or users who move between systems—access lingers. Lingering access is open access. It's an open door not just to compliance violations, but to breach risk, data integrity issues, and regulatory nightmares.
According to the 2025 Verizon Data Breach Investigation Report, breaches involving third-party and non-employee access doubled from 15% to 30% in just one year. This is no longer an edge case, it’s a growing attack surface. And it’s not limited to healthcare. Every industry that uses contractors, vendors, or temp staff is at risk if they don’t get identity lifecycle management right.
Access should be purposeful, provisional, and terminated promptly when the relationship ends. If someone leaves, their digital keys should go with them. If they move roles, access should be re-evaluated. Anything else is an invitation to trouble—even if it arrives in scrubs with a smile.
If your “former” employees can still log in, they’re not former—they’re just unmanaged risk.
That’s it for this round of Facepalm Files. Want fewer uh-ohs and more a-has? Download the Modern Identity Security for Dummies, SailPoint Special Edition guide for your ticket to success.
