Part of her response may be due to the fact that she knows she screwed up...big time. Sounds like she is using an app without required protections. I am guessing the cyber security folks are not going to be impressed with her disregard for security requirements. Snooping at a list of names on her desk would also be her problem. You have no legal obligation not to look; she has a legal obligation to keep patient information secure. In this case, a better analogy would be is that she (knowingly) mailed you a list of patients. She is the one in the wrong, not you. Although maybe her attempting to get some cover might be acceptable, trying to throw responsibility at you is completely inappropriate and unethical. I totally get that technology adds in whole new dimensions of complication, which just reinforces my belief that a person shouldn't be using what they are ill-equipped to manage responsibly. Perhaps she went to the security folks before she used this, but if not, in my opinion, she should be sanctioned/disciplined. I have fired employees for violating data privacy laws, regulations and policies. If a breach of your information has occurred, you have the right to know and to understand what she and the organization are going to do to rectify. In addition to HIPAA, if she treats children, she may also have violated COPPA. Clearly, this really ticks me off! Apologies if I offended.