I created this blog post to share internally as part of security awareness. It’s focused on healthcare but feel free to grab and adjust based on your organization.

We often remind staff to double-check before sharing sensitive information—but a recent national security incident shows just how critical that habit really is. If top government officials can make this kind of mistake, so can we—and in healthcare, the consequences can be just as severe.

What Happened?

Recently, a Signal group chat meant for senior U.S. national security officials mistakenly included Jeffrey Goldberg, editor-in-chief of The Atlantic. The chat included operational details about military actions and involved key figures like the Secretary of Defense and CIA Director. The worst part? No one noticed Goldberg was there. He even left the group on his own, without anyone asking who he was or why he left.

The entire exchange happened on personal devices, outside of secure government systems—an environment where sensitive discussions have no business taking place.

Why This Matters in Healthcare

This story should strike a chord in healthcare. We work in an industry where confidentiality isn’t just a best practice—it’s the law. Whether it’s a patient’s diagnosis, treatment plan, or billing information, sharing sensitive data with the wrong person can lead to HIPAA violations, fines, reputational damage, and—most importantly—a loss of patient trust.

And here’s something we can’t overlook: internal mishaps cause more security incidents than external attacks. It’s not always hackers or ransomware actors—it’s misdirected emails, accidental disclosures, and staff using unapproved tools for convenience. These are preventable mistakes, but only if we stay mindful of how we handle sensitive information.

Best Practices for Handling Sensitive Information

• Verify recipients: Before sharing anything patient-related, make sure you’re communicating with the right colleague—especially in group chats or email threads.

• Use approved platforms: Consumer apps like Signal or iMessage are not secure for handling protected health information (PHI). Stick to tools your organization has approved for sensitive communication.

• Be aware of who's listening: Just because someone is in a conversation doesn’t mean they should be. If you don’t recognize a name, say something.

• Treat names and dates as sensitive too: Even something as simple as a patient’s name and appointment time can be considered PHI under HIPAA.

Security culture in healthcare means asking the hard questions, slowing down when it matters most, and protecting every patient’s privacy—one message at a time. Because it’s not just about following rules. It’s about earning the trust our patients place in us every single day.