I just received an email from another listserv today, and thought of the blog post I wrote here a while back. Here’s the email I received and I’ll comment more below:
Thought I’d warn you of a thing that’s apparently going around in Skype.
I had my Skype account hijacked, The hijacker changed my password and email address that was associated with my account so I could not get into the account again myself.
Then they placed phone calls and charged the credit card that’s on file for autobill with Skype.
It apparently started when I received a file attachment from a known business contact that looked like an image file but wouldn’t open after I downloaded it.
Skype customer service helped me out with it, but it’s a pain. Be careful with attachments – even if they come from trusted sources! If you don’t know what is being sent, confirm via text message before downloading anything!
I had the same thing happen to me with Chat rooms, where I would be in the room and receive messages from someone else who was posing as ME, teasing ME about SECURITY while I was talking to my world-wide programming staff. That made me shy away from even thinking about using chat rooms with patients.
Now the report above is being circulated out of the blue from one of my other listservs.
I know SKYPE is supposedly encrypted way above HIPAA requirements, , but one does have to stop and wonder how those passwords were obtained. Was someone using an unencrupted wireless connection when they tried to acces their SKYPE account at some point? Were they in a cafe and not thinking that someone esle might have set up a phishing operation across that cafe house wall?
What lesson does this event hold for us as practitioners? Should we include a statement in our consent forms that stipulates that clients/patients should not use wireless networks when entering their SKYPE address if they every want to use SKYPE for mental health treatment? How responsible are they vs. us if they “forget” and their confidentiality is violated? Are we at fault even if we asked them to sign a consent form addressing this issue?
Am I missing the point? Is there another way someone might have gotten those SKYPE passwords? Please comment below.