Healthcare Case Study

Revenue Cycle Management Team at a US Non-Profit Hospital NetworkCatching PHI Exfiltration That USB Controls Miss

When the IT security team discovered that a billing team member had been uploading patient account records to a personal Google Drive account from her workstation — despite having USB write controls in place — they realized they needed to see what was on screen, not just what was plugged in. PrivateDLP's AI screen auditing gave them the screenshot evidence that proved the breach.

Multi-Hospital
Outpatient Clinic Network (US Midwest)
~150
RCM Workstations
PHI Exfiltration
AI-Detected Cloud Upload

Executive Summary

A non-profit regional hospital network in the US Midwest — several hospitals and a network of outpatient clinics, with thousands of employees — had long relied on USB write controls to keep protected health information (PHI) from leaving its network. The controls were strict: no USB storage on RCM workstations, encrypted medical-grade drives only, and a fleet-wide blocklist enforced by group policy. Then a routine access log review turned up something troubling: a billing team member had been uploading patient account records to a personal Google Drive account from her workstation — every day for several weeks before anyone noticed. The USB blocklist showed nothing, of course — the data was leaving through the browser, not through a USB port.

The Revenue Cycle Management (RCM) IT security lead self-funded a PrivateDLP deployment covering ~150 billing, coding, and patient-access workstations across the network. The capability the team was buying: AI screen auditing that could see what was on the screen — and detect when patient billing data was being exposed through any channel a USB blocklist couldn't reach. Screenshots are analyzed by an AI model the customer's IT team selects themselves, with screenshots deleted immediately after analysis and retained evidence written to the customer's own storage. No patient data ever leaves the customer's environment.

Detects PHI exposure through browser-based exfiltration — personal cloud drives, personal email, unauthorized cloud apps — channels a USB blocklist can't see
Screenshot evidence captured at the moment of violation — what HIPAA auditors actually want to see, not reconstructed access logs from three weeks ago
Natural-language rules written by RCM managers, not regexes from a vendor — coders, billers, and patient access reps each get policies that fit their actual work
All screenshot data stays in the customer's environment — the customer chose their own AI model and their own evidence storage bucket

Client Profile

The client is the Revenue Cycle Management (RCM) division of a non-profit regional hospital network in the US Midwest. The broader network operates several acute-care hospitals and a network of outpatient clinics, with thousands of employees, hundreds of employed physicians, and an annual revenue cycle touching millions of patient accounts. The RCM division itself employs roughly 180 people across coding, billing, denial management, and patient access — most of them on a single campus, but with a growing share working remote under a hybrid schedule that took shape after 2022.

The deployment was self-funded by the RCM IT security lead after a routine access log review uncovered a billing team member uploading patient account records to a personal Google Drive account from her workstation — three weeks of daily uploads before anyone noticed. The funding came out of the division's existing security budget. There is no formal expansion plan to other divisions — the network's clinical and nursing informatics teams manage their own endpoints under separate governance. The RCM team owns its ~150 Windows 11 audit workstations outright, sets its own policies, and stores its own evidence in a private S3 bucket already used for compliance archives.

Network Footprint

Several hospitals, a network of outpatient clinics (US Midwest)

RCM Scope

Roughly 180 staff, ~150 audit workstations, millions of patient accounts/year

Team Structure

Coders, billers, denial management, patient access — different rules for each role

Funding & Governance

Self-funded by RCM IT security — no network-wide rollout planned

The Challenges

A US non-profit hospital network realizing its USB blocklist has a critical blind spot — PHI leaving through the browser, personal cloud, and after-hours workflows

USB Controls Can't Catch Browser-Based Exfiltration — And That's How PHI Was Actually Leaking

The network's group policy was strict: no removable USB storage, encrypted medical-grade drives only, and a fleet-wide blocklist enforced by endpoint management. None of that stopped a billing team member from opening a personal Google Drive window in Chrome and uploading patient account records — every day for three weeks, until a routine access log review caught it. The IT security team had no way to see what was happening inside the browser window. They knew something was wrong; they couldn't prove it until the cloud provider's activity log surfaced the uploads. The team needed to see what was on the screen at the moment the data left, not three weeks later from a vendor's audit log.

RCM Roles Aren't Uniform — Coders, Billers, and Patient Access Reps All Need Different Rules

The RCM division isn't one workflow, it's four. Coders spend their day inside encoder software reading clinical notes. Billers live in the practice management system posting charges and working denials. Denial management staff pull EOBs and write appeal letters. Patient access reps collect insurance cards and demographics at the front desk. A rule that flags personal email for one role can be a daily work tool for another. The IT security team needed a way for line managers — not vendor consultants — to write rules in plain language that match what their own teams actually do, without phoning IT for a regex change every time the workflow shifts.

HIPAA Auditors Want Evidence, Not Assurances — and the Logs Weren't Enough

When the personal cloud breach went to the privacy officer, the auditors asked the obvious question: show us the screenshot. The team had access logs showing the employee's Google Drive uploads and the date range — but no visual evidence of what was on the screen at the moment the data left. HIPAA's breach notification rule requires the covered entity to describe what was disclosed; the OCR audit protocol asks for evidence. The IT security lead realized that for the next incident, they would need to be able to point to a screenshot and say 'this is what was on the screen when the policy was broken,' with the file preserved in a chain-of-custody store the privacy officer controls.

After-Hours RCM Work Was Invisible — and a Compliance Risk Nobody Was Watching

RCM runs on overtime. Coders work nights and weekends to clear backlog, billers push claims at end-of-month close, and informal workarounds have crept in across the team — including staff who route billing work through personal cloud accounts so they can finish at home. The IT security lead had no visibility into what was actually happening during those off-hours blocks: whether staff were working productively, copying files to personal cloud to 'finish at home,' or — most worrying — whether the same personal-cloud behaviors discovered in the incident were repeating after hours, when nobody was walking the floor.

The Solution: PrivateDLP

The RCM IT security lead chose PrivateDLP for the one capability the existing stack didn't have — visibility into what was happening on the screen, with screenshot evidence captured at the moment of a policy violation

Centralized Web Management Console

The RCM IT team manages all ~150 audit workstations from a single web console hosted inside the hospital's existing network. Role-based policies are pushed out by job function — coder, biller, denial management, patient access — so each group gets rules that fit what they actually do, and line managers can submit plain-language rule requests that the security team translates and deploys in under an hour.

Windows Audit Client

A lightweight Windows 11 client runs on each RCM workstation, capturing periodic screenshots and applying the active policy in real time. The client enforces USB controls, blocks the personal cloud and personal email sites the policy team has flagged, and screenshots are queued for analysis only when the workstation is in scope of an active rule. Idle workstations are skipped — coders reading notes on a tablet next to a workstation don't generate screenshots.

RCM Deployment: ~150 Windows 11 audit workstations across the RCM division — coders, billers, denial management, and patient access. Rollout completed in approximately six weeks from procurement to last-site deployment. Clinical and nursing informatics teams are out of scope; they manage their own endpoints under separate governance.

Data Handling Choice: Screenshots are analyzed by an AI model the customer's IT team selected and configured themselves — not routed to PrivateDLP's default model. Screenshots are deleted immediately after analysis, and any violation evidence is written to a private S3 bucket the privacy officer already uses for compliance archives. The customer owns its evidence end to end. No patient data leaves the hospital's environment for AI analysis or evidence storage.

Implementation & Key Capabilities

PrivateDLP gave the RCM IT security team the screen-level visibility and evidence chain the existing DLP stack couldn't — wrapped in a deployment the privacy officer could approve

AI Screen Auditing With Natural-Language Rules Written By RCM Managers

The capability the IT security lead was buying: AI analysis of periodic screenshots, with rules that line managers can write in plain English and the security team can deploy in minutes:

  • Plain-language rule definition: A denial management manager writes a rule like 'flag any screenshot showing a patient account number on a personal Gmail compose window' — no regex, no DLP consultant
  • Periodic screenshot capture from the Windows audit client, queued for analysis only while the workstation is in scope of an active rule
  • Role-scoped rule sets: coders, billers, denial management, and patient access each get their own policy bundle — so a rule that flags personal email for one role doesn't trigger false positives for another
  • Audit trail of every rule change — who wrote it, who approved it, when it went live, and which workstations it currently applies to

Privacy-First Screenshot Handling — Customer's AI, Customer's Storage

The privacy officer signed off on the deployment because the data handling met the same standard the hospital applies to PHI itself:

  • Screenshots are deleted immediately after AI analysis completes — they are not retained on the workstation or in any queue once the analysis result is recorded
  • The customer's IT team selects which AI model performs the analysis — the default model is one option, but this customer routed screenshots to an LLM they already had approval to use, with all inference happening inside the hospital network
  • Screenshots are not used to train any AI model, including the customer's own — analysis is read-only and the model has no retention path back to the source data
  • Violation evidence is written to a private S3 bucket the privacy officer controls, with chain-of-custody metadata captured at the moment of write — not retroactively

Configurable Violation Alerts With Screenshot Evidence

The HIPAA auditors' question was 'show us the screenshot.' The alerting system is built to answer it:

  • Real-time alert to the IT security lead and the privacy officer the moment a rule fires, with the violating screenshot attached and the user, workstation, timestamp, and active rule identified
  • Alert routing by rule severity — a PHI exposure to a personal cloud account pages the on-call security analyst; a low-severity policy nudge is logged for the morning review
  • Screenshot evidence preserved in the privacy officer's S3 bucket for the retention period the hospital's breach notification policy requires — currently seven years for confirmed breach artifacts
  • Audit-ready export: the privacy officer can produce a single ZIP of screenshots, rule versions, and access logs for any workstation over any date range, formatted for OCR submission

Enterprise Device & Network Control Built Around How RCM Actually Works

The screen auditing is the differentiator, but the deployment also replaced three legacy endpoint tools the RCM team had been maintaining on the side:

  • USB read/write control with a hardware-allowlist — encrypted medical-grade drives approved for legitimate data exchange; everything else blocked at the endpoint
  • Web whitelists and blacklists by role — billers get the clearinghouse portals; patient access reps get the eligibility verification tools; both groups have personal cloud and personal email blocked at the browser level
  • Time-based policies — stricter rules apply during overnight off-hours blocks when coders are working through backlog, and the rules relax during business hours when patient access reps are interacting with patients at the front desk
  • Application control and firewall rules — the practice management system, encoder, and EHR client are allowlisted for network access; everything else is denied by default

What Changed In The RCM Division

Four months after the rollout, the team is catching what their USB blocklist couldn't — and producing evidence the privacy officer can hand to a regulator without rebuilding it from scratch

Metric / ObjectiveBefore PrivateDLPAfter PrivateDLP
PHI Exposure Incidents Caught
USB blocklist showed nothing; the Google Drive breach was caught three weeks later from an access log, not from any internal alert4 confirmed policy violations flagged in the first 60 days — including 2 that the team would not have caught from logs alone
HIPAA Audit Response Time
Auditor questions about the Google Drive breach took ~3 months to answer; the team was reconstructing events from access logs and cloud provider reportsPrivacy officer produces screenshot evidence on demand; subsequent mock-audit questions answered the same day
Confirmed Patient Data Exfiltration
1 confirmed breach (billing team member uploading to personal Google Drive); IT security had no way to know if it was an isolated incident or a pattern0 confirmed PHI exfiltration events in the 4 months following rollout; 2 caught-and-corrected before any data left the network
RCM After-Hours Compliance
Off-hours billing work routed through personal cloud was invisible; informal 'work from home' workflows had become a de facto compliance gapTime-based policies surfaced a small group of repeat after-hours personal-cloud activity; addressed via policy update and team training, no repeat incidents
PHI Exposure Incidents Caught
4 in 60 days
HIPAA Audit Response Time
Same-day evidence
Confirmed Patient Data Exfiltration
0 exfiltration events
RCM After-Hours Compliance
After-hours visibility

"We were never going to catch a Google Drive upload with a USB blocklist. The first time the AI flagged a patient billing screen alongside an open Google Drive upload window, we had the screenshot we needed to act — without having to wait three weeks for a cloud provider audit log to surface it. That evidence is what HIPAA auditors actually want to see, and it's what our privacy officer needed to push the case through HR. Six months in, the screenshot is the artifact, not the log line."

— IT Security Lead, Revenue Cycle Management
Non-profit regional hospital network (US Midwest)

"I'd been asking for screen-level DLP for two years and getting the same answer from every vendor — six-figure SOC integration, year-long rollout, and a regex language my managers can't read. What I actually needed was a rule my denial management lead could write in a sentence and the security team could deploy the same morning. The first time one of those rules fired, we caught a coder who'd been quietly uploading denial letters to a personal Dropbox after hours — not malicious, just working from home through her personal cloud like half the department was doing. But the kind of thing that becomes a breach notice if you find it six months later in a forensic audit."

— RCM IT Security Lead

The RCM division's deployment is small, self-funded, and intentionally bounded to the workflows the security team can directly govern. The clinical and nursing informatics teams run their own endpoint programs under separate governance. What changed inside the RCM division is the kind of change that doesn't show up in a feature list: when something looks wrong on a billing workstation, the security team can answer the privacy officer's question with a screenshot, in the same hour, from evidence the customer already owns.

The deployment is not a network-wide rollout plan. It is a division that found a blind spot, bought a tool that fit the gap, and built a rule set its own managers can actually maintain.