Revenue Cycle Management Team at a US Non-Profit Hospital NetworkCatching PHI Exfiltration That USB Controls Miss
When the IT security team discovered that a billing team member had been uploading patient account records to a personal Google Drive account from her workstation — despite having USB write controls in place — they realized they needed to see what was on screen, not just what was plugged in. PrivateDLP's AI screen auditing gave them the screenshot evidence that proved the breach.
Executive Summary
A non-profit regional hospital network in the US Midwest — several hospitals and a network of outpatient clinics, with thousands of employees — had long relied on USB write controls to keep protected health information (PHI) from leaving its network. The controls were strict: no USB storage on RCM workstations, encrypted medical-grade drives only, and a fleet-wide blocklist enforced by group policy. Then a routine access log review turned up something troubling: a billing team member had been uploading patient account records to a personal Google Drive account from her workstation — every day for several weeks before anyone noticed. The USB blocklist showed nothing, of course — the data was leaving through the browser, not through a USB port.
The Revenue Cycle Management (RCM) IT security lead self-funded a PrivateDLP deployment covering ~150 billing, coding, and patient-access workstations across the network. The capability the team was buying: AI screen auditing that could see what was on the screen — and detect when patient billing data was being exposed through any channel a USB blocklist couldn't reach. Screenshots are analyzed by an AI model the customer's IT team selects themselves, with screenshots deleted immediately after analysis and retained evidence written to the customer's own storage. No patient data ever leaves the customer's environment.
Client Profile
The client is the Revenue Cycle Management (RCM) division of a non-profit regional hospital network in the US Midwest. The broader network operates several acute-care hospitals and a network of outpatient clinics, with thousands of employees, hundreds of employed physicians, and an annual revenue cycle touching millions of patient accounts. The RCM division itself employs roughly 180 people across coding, billing, denial management, and patient access — most of them on a single campus, but with a growing share working remote under a hybrid schedule that took shape after 2022.
The deployment was self-funded by the RCM IT security lead after a routine access log review uncovered a billing team member uploading patient account records to a personal Google Drive account from her workstation — three weeks of daily uploads before anyone noticed. The funding came out of the division's existing security budget. There is no formal expansion plan to other divisions — the network's clinical and nursing informatics teams manage their own endpoints under separate governance. The RCM team owns its ~150 Windows 11 audit workstations outright, sets its own policies, and stores its own evidence in a private S3 bucket already used for compliance archives.
Network Footprint
Several hospitals, a network of outpatient clinics (US Midwest)
RCM Scope
Roughly 180 staff, ~150 audit workstations, millions of patient accounts/year
Team Structure
Coders, billers, denial management, patient access — different rules for each role
Funding & Governance
Self-funded by RCM IT security — no network-wide rollout planned
The Challenges
A US non-profit hospital network realizing its USB blocklist has a critical blind spot — PHI leaving through the browser, personal cloud, and after-hours workflows
USB Controls Can't Catch Browser-Based Exfiltration — And That's How PHI Was Actually Leaking
The network's group policy was strict: no removable USB storage, encrypted medical-grade drives only, and a fleet-wide blocklist enforced by endpoint management. None of that stopped a billing team member from opening a personal Google Drive window in Chrome and uploading patient account records — every day for three weeks, until a routine access log review caught it. The IT security team had no way to see what was happening inside the browser window. They knew something was wrong; they couldn't prove it until the cloud provider's activity log surfaced the uploads. The team needed to see what was on the screen at the moment the data left, not three weeks later from a vendor's audit log.
RCM Roles Aren't Uniform — Coders, Billers, and Patient Access Reps All Need Different Rules
The RCM division isn't one workflow, it's four. Coders spend their day inside encoder software reading clinical notes. Billers live in the practice management system posting charges and working denials. Denial management staff pull EOBs and write appeal letters. Patient access reps collect insurance cards and demographics at the front desk. A rule that flags personal email for one role can be a daily work tool for another. The IT security team needed a way for line managers — not vendor consultants — to write rules in plain language that match what their own teams actually do, without phoning IT for a regex change every time the workflow shifts.
HIPAA Auditors Want Evidence, Not Assurances — and the Logs Weren't Enough
When the personal cloud breach went to the privacy officer, the auditors asked the obvious question: show us the screenshot. The team had access logs showing the employee's Google Drive uploads and the date range — but no visual evidence of what was on the screen at the moment the data left. HIPAA's breach notification rule requires the covered entity to describe what was disclosed; the OCR audit protocol asks for evidence. The IT security lead realized that for the next incident, they would need to be able to point to a screenshot and say 'this is what was on the screen when the policy was broken,' with the file preserved in a chain-of-custody store the privacy officer controls.
After-Hours RCM Work Was Invisible — and a Compliance Risk Nobody Was Watching
RCM runs on overtime. Coders work nights and weekends to clear backlog, billers push claims at end-of-month close, and informal workarounds have crept in across the team — including staff who route billing work through personal cloud accounts so they can finish at home. The IT security lead had no visibility into what was actually happening during those off-hours blocks: whether staff were working productively, copying files to personal cloud to 'finish at home,' or — most worrying — whether the same personal-cloud behaviors discovered in the incident were repeating after hours, when nobody was walking the floor.
The Solution: PrivateDLP
The RCM IT security lead chose PrivateDLP for the one capability the existing stack didn't have — visibility into what was happening on the screen, with screenshot evidence captured at the moment of a policy violation
Centralized Web Management Console
The RCM IT team manages all ~150 audit workstations from a single web console hosted inside the hospital's existing network. Role-based policies are pushed out by job function — coder, biller, denial management, patient access — so each group gets rules that fit what they actually do, and line managers can submit plain-language rule requests that the security team translates and deploys in under an hour.
Windows Audit Client
A lightweight Windows 11 client runs on each RCM workstation, capturing periodic screenshots and applying the active policy in real time. The client enforces USB controls, blocks the personal cloud and personal email sites the policy team has flagged, and screenshots are queued for analysis only when the workstation is in scope of an active rule. Idle workstations are skipped — coders reading notes on a tablet next to a workstation don't generate screenshots.
RCM Deployment: ~150 Windows 11 audit workstations across the RCM division — coders, billers, denial management, and patient access. Rollout completed in approximately six weeks from procurement to last-site deployment. Clinical and nursing informatics teams are out of scope; they manage their own endpoints under separate governance.
Data Handling Choice: Screenshots are analyzed by an AI model the customer's IT team selected and configured themselves — not routed to PrivateDLP's default model. Screenshots are deleted immediately after analysis, and any violation evidence is written to a private S3 bucket the privacy officer already uses for compliance archives. The customer owns its evidence end to end. No patient data leaves the hospital's environment for AI analysis or evidence storage.
Implementation & Key Capabilities
PrivateDLP gave the RCM IT security team the screen-level visibility and evidence chain the existing DLP stack couldn't — wrapped in a deployment the privacy officer could approve
AI Screen Auditing With Natural-Language Rules Written By RCM Managers
The capability the IT security lead was buying: AI analysis of periodic screenshots, with rules that line managers can write in plain English and the security team can deploy in minutes:
- Plain-language rule definition: A denial management manager writes a rule like 'flag any screenshot showing a patient account number on a personal Gmail compose window' — no regex, no DLP consultant
- Periodic screenshot capture from the Windows audit client, queued for analysis only while the workstation is in scope of an active rule
- Role-scoped rule sets: coders, billers, denial management, and patient access each get their own policy bundle — so a rule that flags personal email for one role doesn't trigger false positives for another
- Audit trail of every rule change — who wrote it, who approved it, when it went live, and which workstations it currently applies to
Privacy-First Screenshot Handling — Customer's AI, Customer's Storage
The privacy officer signed off on the deployment because the data handling met the same standard the hospital applies to PHI itself:
- Screenshots are deleted immediately after AI analysis completes — they are not retained on the workstation or in any queue once the analysis result is recorded
- The customer's IT team selects which AI model performs the analysis — the default model is one option, but this customer routed screenshots to an LLM they already had approval to use, with all inference happening inside the hospital network
- Screenshots are not used to train any AI model, including the customer's own — analysis is read-only and the model has no retention path back to the source data
- Violation evidence is written to a private S3 bucket the privacy officer controls, with chain-of-custody metadata captured at the moment of write — not retroactively
Configurable Violation Alerts With Screenshot Evidence
The HIPAA auditors' question was 'show us the screenshot.' The alerting system is built to answer it:
- Real-time alert to the IT security lead and the privacy officer the moment a rule fires, with the violating screenshot attached and the user, workstation, timestamp, and active rule identified
- Alert routing by rule severity — a PHI exposure to a personal cloud account pages the on-call security analyst; a low-severity policy nudge is logged for the morning review
- Screenshot evidence preserved in the privacy officer's S3 bucket for the retention period the hospital's breach notification policy requires — currently seven years for confirmed breach artifacts
- Audit-ready export: the privacy officer can produce a single ZIP of screenshots, rule versions, and access logs for any workstation over any date range, formatted for OCR submission
Enterprise Device & Network Control Built Around How RCM Actually Works
The screen auditing is the differentiator, but the deployment also replaced three legacy endpoint tools the RCM team had been maintaining on the side:
- USB read/write control with a hardware-allowlist — encrypted medical-grade drives approved for legitimate data exchange; everything else blocked at the endpoint
- Web whitelists and blacklists by role — billers get the clearinghouse portals; patient access reps get the eligibility verification tools; both groups have personal cloud and personal email blocked at the browser level
- Time-based policies — stricter rules apply during overnight off-hours blocks when coders are working through backlog, and the rules relax during business hours when patient access reps are interacting with patients at the front desk
- Application control and firewall rules — the practice management system, encoder, and EHR client are allowlisted for network access; everything else is denied by default
What Changed In The RCM Division
Four months after the rollout, the team is catching what their USB blocklist couldn't — and producing evidence the privacy officer can hand to a regulator without rebuilding it from scratch
| Metric / Objective | Before PrivateDLP | After PrivateDLP |
|---|---|---|
PHI Exposure Incidents Caught | USB blocklist showed nothing; the Google Drive breach was caught three weeks later from an access log, not from any internal alert | 4 confirmed policy violations flagged in the first 60 days — including 2 that the team would not have caught from logs alone |
HIPAA Audit Response Time | Auditor questions about the Google Drive breach took ~3 months to answer; the team was reconstructing events from access logs and cloud provider reports | Privacy officer produces screenshot evidence on demand; subsequent mock-audit questions answered the same day |
Confirmed Patient Data Exfiltration | 1 confirmed breach (billing team member uploading to personal Google Drive); IT security had no way to know if it was an isolated incident or a pattern | 0 confirmed PHI exfiltration events in the 4 months following rollout; 2 caught-and-corrected before any data left the network |
RCM After-Hours Compliance | Off-hours billing work routed through personal cloud was invisible; informal 'work from home' workflows had become a de facto compliance gap | Time-based policies surfaced a small group of repeat after-hours personal-cloud activity; addressed via policy update and team training, no repeat incidents |
"We were never going to catch a Google Drive upload with a USB blocklist. The first time the AI flagged a patient billing screen alongside an open Google Drive upload window, we had the screenshot we needed to act — without having to wait three weeks for a cloud provider audit log to surface it. That evidence is what HIPAA auditors actually want to see, and it's what our privacy officer needed to push the case through HR. Six months in, the screenshot is the artifact, not the log line."
"I'd been asking for screen-level DLP for two years and getting the same answer from every vendor — six-figure SOC integration, year-long rollout, and a regex language my managers can't read. What I actually needed was a rule my denial management lead could write in a sentence and the security team could deploy the same morning. The first time one of those rules fired, we caught a coder who'd been quietly uploading denial letters to a personal Dropbox after hours — not malicious, just working from home through her personal cloud like half the department was doing. But the kind of thing that becomes a breach notice if you find it six months later in a forensic audit."
The RCM division's deployment is small, self-funded, and intentionally bounded to the workflows the security team can directly govern. The clinical and nursing informatics teams run their own endpoint programs under separate governance. What changed inside the RCM division is the kind of change that doesn't show up in a feature list: when something looks wrong on a billing workstation, the security team can answer the privacy officer's question with a screenshot, in the same hour, from evidence the customer already owns.
The deployment is not a network-wide rollout plan. It is a division that found a blind spot, bought a tool that fit the gap, and built a rule set its own managers can actually maintain.