πŸ”’
Protected Dashboard
Outsource Access Β· ALTN Account Intelligence
Any Lab Test Now ⚠ CRITICAL β€” TERMINATED
Account Status
TERMINATED
June 24, 2026 β€” HIPAA breach
Engagement Duration
0
Weeks (Apr 27 – Jun 24)
Peak Daily Tickets
0
June 10, 2026 β€” all-time high
Backlog at Termination
50+
Open tickets at June 22 audit
Coaching Sessions
0
May 4 – June 23, 2026
PHI Recipients Exposed
2
External β€” unrelated to customer

OA Team

Account ManagerMaria Paola Apacible
Operations ManagerTreve Gonzaga
Team LeaderMary Ann Palacio
HR / People OpsCleofe Rose Ann Niez
Security LeadStephen Bill De Veyra
Project Manager β€” Strategic InitiativesAlva Bayawa

Client Details

ClientAny Lab Test Now (ALTN)
Scale250 U.S. franchise locations
Billing / StrategyDavid Wheeler
IT ManagerBrandon Owens
IT Team SizeBrandon + 6 (35 corporate staff)
VA RoleIT Support Specialist (Tier 1–2)

Tool Stack

Salesforce CRM Google Workspace Bitwarden Litmos LMS Time Doctor 2 CareEvolve Guide (Video SOPs) AWS (migration)
⚠ Time Doctor 2: HIPAA screen-recording compliance under urgent review by Stephen De Veyra.

Compliance Snapshot

HIPAA Training (Litmos)Completed Wk 1
HIPAA ViolationConfirmed β€” Reportable
System Access RevokedJune 24
Device Wipe (recorded)June 24
NTE + Preventive SuspensionPending Legal
Policy ViolationsCategory C + Category D
Federal Reporting ThresholdBeing Assessed
"Please make sure first and above all our entire audit trail of this VA from interview, hire, background check, computer validation, internet access, etc... As I'm quite sure we will probably end up dealing with a legal issue and a lawsuit here. We need to demonstrate we took proper precautions with zero negligence."
β€” Brad Stevens, CEO Β· Outsource Access Β· June 24, 2026 (internal chat)

Ticket Volume Over Time β€” High-Start, Sharp-Decline Pattern

Weekly Hours & Idle Time

Performance Phase Summary

The Critical Gap β€” June 17 vs June 22

On June 17, Dennis's weekly 1-on-1 reported all KPIs as "all good" β€” attendance, CSAT, responsiveness, playbook, compliance. Just 6 days later, a client-side audit uncovered 50+ backlogged tickets and SLA violations spanning 1–2 weeks. This gap exposes a structural vulnerability: weekly check-ins relying on VA self-report with no independent ticket-level verification.

~Mar 10, 2026
Initial Connection β€” LinkedIn / Tsource
Salesβ–Ύ
CEO Brad Stevens connected with David Wheeler via LinkedIn. Account sourced through Tsource (franchise partner). Client did not disclose healthcare context. JD was silent on PHI access. Intake Zoom recording not retained.
Apr 14, 2026
Requisition Closed β€” Account Tagged "Healthcare"
Salesβ–Ύ
Requisition formally closed and converted. Account was tagged "healthcare client" internally β€” but no HIPAA training gate was activated. Role still understood as standard IT support with no PHI handling specified.
Apr 24, 2026
Official Client Onboarding
Onboardingβ–Ύ
90-day integration plan established. VA role, 11 critical tasks, full tool stack, and shift schedule (8 AM–5 PM EST) defined. PHI handling not mentioned. Time Doctor 2 disclosed; screen recording practice not specifically discussed.
Apr 27, 2026
Dennis's Official Start Date
Onboardingβ–Ύ
Dennis begins engagement. Focuses on system setup and specialized platform access. 11 self-paced training modules initiated covering Salesforce, soft skills, and internal tools.
May 11, 2026
Client Feedback β€” Exceeding Expectations
Onboardingβ–Ύ
Dennis independently resolved his first helpdesk tickets. Brandon praised his quick learning curve. Client sentiment: highly positive.
May 28, 2026
30-Day Touchbase Meeting
Onboardingβ–Ύ
Full 30-day milestone review with VA, TL, OM, AM, and client. Account on track. AM present; no compliance concerns raised at this stage.
Jun 2, 2026
Monthly Progress β€” 17 Tickets/Day Peak
Scale-Upβ–Ύ
Dennis scaling to 15–20 tickets/day (peak 17). Proactively requested Google Voice for voicemail handling. Began creating SOP video guides. Client satisfaction high. Account: Active, On Track.
Jun 10, 2026
Peak Performance β€” 31 Tickets/Day
Scale-Upβ–Ύ
Best performance week. Peak resolution rate: 31 tickets in a single day. Idle time reduced to 42%. Client: On Track. No concerns flagged at this point.
Jun 17, 2026
Weekly 1-on-1 β€” All Self-Reported "All Good"
Scale-Upβ–Ύ
All KPIs self-reported as "all good" β€” EODR/SODR, CSAT, responsiveness, playbook, compliance. No ticket backlog, SLA issues, or client coaching concerns disclosed. Signed by Dennis. Just 7 days before breach discovery β€” the critical gap.
Jun 22, 2026 Β· 1:00 PM EST
Performance Escalation Audit β€” 50+ Ticket Backlog
Breachβ–Ύ
Brandon audited the IT queue and discovered: 50+ open tickets in backlog; tickets inactive 1–2 weeks (SLA/TCO violations); missing mandatory fields (Case Type, Reason, Contact Name, Email). Brandon met with Dennis directly to review issues and set cleanup deadline of June 25.
Jun 23, 2026
OA Coaching Session β€” Post-Escalation (Final)
Breachβ–Ύ
TL + VA coaching following client escalation. Dennis committed verbatim to daily end-of-shift ticket scrub. Integration Manager signature obtained. HIPAA breach discovered 24 hours later.
Jun 24 Β· 9:30 AM EST
⚠ HIPAA Breach Discovered
Breachβ–Ύ
Brandon discovered Dennis sent customer PHI (full name, DOB, email) to an incorrect external recipient (franchise development lead) via Salesforce auto-populate. Correction attempt sent PHI to a second wrong person. All ALTN system access immediately revoked. Confirmed reportable HIPAA violation.
Jun 24 Β· 11:30 AM EST
Emergency Security Sync β€” Formal Termination
Breachβ–Ύ
David Wheeler and Brandon Owens met with OA stakeholders (AM, OM, TL, CGO, HVAS, SOM). David expressed complete loss of trust. ALTN confirmed immediate termination. ALTN will take 2–6 weeks to evaluate alternatives before deciding on replacement.
Jun 24 Β· Post-Call
Emergency Device Wipe & Offboarding
Breachβ–Ύ
OA tech team executed a full remote hard-wipe of Dennis's local machine. Fully recorded; video forwarded to Brandon Owens. VA cooperative; no red flags found. OM Treve Gonzaga requested Litmos HIPAA certificate screenshot from Brandon.
Jun 25 Β· 10:30 PM PH
Internal Emergency Alignment Meeting (RCA Prep)
Breachβ–Ύ
Cross-functional OA team (11 attendees, led by Cleofe Niez) convened to consolidate chronology for CEO-requested RCA. 6 systemic control gaps identified. Deliverable: full RCA to CEO before June 26 noon.

6 sessions conducted by TL Mary Ann Palacio Β· May 4 – June 23, 2026 Β· Click any session to expand.

1
May 4, 2026
Shadowing Transition & Time Doctor Tagging
Trend-Basedβ–Ύ

Coaching Details

  • Shadowing-to-independent ticket handling reviewed
  • 3 tickets: 2 solo, 1 collaborative
  • Time Doctor tagging issues identified β€” work miscategorized
  • Self-assessed 100% ready; accurate reporting flagged

Root Cause

Onboarding learning curve; inconsistent task categorization; inaccurate time tracking

Commitment

Handle tickets independently; tag accurately; report honestly; join meetings proactively

2
May 12, 2026
Playbook Documentation & SLA Standards
Trend-Basedβ–Ύ

Coaching Details

  • Playbook documentation expectations formally set
  • Ticket protocols and SLA obligations reviewed
  • Service continuity expectations established
  • Dennis's initiative noted positively by TL

Root Cause

Still onboarding; limited ticket exposure; SOP documentation lacking; client supervision occasionally limited

TL Notes

Strong initiative; willingness to learn; proactive communication; needs ticket exposure

3
May 19, 2026
Documentation Consistency & Regularization KPIs
Trend-Basedβ–Ύ

Coaching Details

  • Daily ticket performance reviewed
  • Playbook still pending β€” now linked to performance evaluation
  • Inconsistent documentation formally flagged
  • Regularization KPI expectations clarified

TL Notes

Steady progress; good understanding of Malt system; needs documentation consistency; positive attitude

Commitment

Complete playbook by end of May; use AI tools (Loom/Gemini/ChatGPT); attend Brandon's meetings

4
May 19, 2026 β€” Week 3
Weekly 1-on-1 Β· 14 Tickets in One Day
Weekly 1-on-1β–Ύ
Personal Check-in (1–10)8/10 β€” adapting to process easily
Weekly Hours40h 31m
Idle Time48% (ticket handling + training)
CSATNo CSAT received this week
Biggest Win14 tickets handled in a single day
Client Temp CheckBrandon busy β€” proactively coordinated with Rowena and Jill
ConcernsNone

Signed: Dennis Lacamiento β€” May 19, 2026

5
June 17, 2026
Weekly 1-on-1 Β· All "All Good" β€” 7 Days Before Breach
Weekly 1-on-1β–Ύ
Personal Check-in8/10
Weekly Hours40h 25m
Idle Time42%
EODR/SODRAll good (self-reported)
CSATAll good (self-reported)
ResponsivenessAll good (self-reported)
PlaybookAll good (self-reported)
ComplianceAll good (self-reported)
Biggest Win"Resolved" β€” no detail provided
ConcernsNone flagged
⚠ All metrics self-reported as "all good" β€” 6 days before discovery of 50+ ticket backlog and HIPAA breach. No ticket-level verification was part of this check-in.

Signed: Dennis Lacamiento β€” June 17, 2026

6
June 23, 2026
⚠ CRITICAL β€” Post-Escalation Coaching (Final Session)
Criticalβ–Ύ
This coaching was triggered by the June 22 client audit revealing 50+ ticket backlog. HIPAA breach discovered 24 hours after this session.

Issues Identified

  • 50+ open tickets in backlog
  • Tickets inactive 1–2 weeks (SLA/TCO violations)
  • Missing mandatory fields across tickets
  • Issues not raised in daily IT huddles

Dennis's Verbatim Commitment

"I will make sure that before the shift ends starting today, I will scrub my ticket and make a follow up if needed and document what happened on the ticket."

Integration Manager Signature obtained β€” June 23, 2026

⚠ HIPAA Data Breach β€” June 24, 2026

While managing an IT support ticket in Salesforce, Dennis sent a message containing Protected Health Information to an incorrect external recipient via auto-populate. His correction attempt sent the same PHI to a second wrong recipient. Confirmed reportable HIPAA violation.

PHI ExposedName + DOB + Email
Wrong Recipients2 External
Prior CoachingMultiple Times
Access RevokedSame Day
Device WipedRecorded

Client Assessment

DAVID WHEELER β€” Billing & Strategy

"Dennis was not properly reviewing tickets or verifying recipient addresses... his actions were plain sloppy. The HIPAA violation was not the core issue β€” it happened because of repeated carelessness."

BRANDON OWENS β€” IT Manager

"The recurring issues stemmed from a lack of attention to detail... He was not taking sufficient ownership of coaching feedback. The PHI incident was no longer simply coachable."

Regulatory & Legal Exposure

  • ALTN Compliance Manager assessing federal HIPAA reporting thresholds
  • Remediation in progress β€” notifying affected customer, franchise owner, and 2 unauthorized recipients
  • OA implicated as a business associate in ALTN's breach response
  • Brad Stevens to lead client-side damage control with David Wheeler
  • Legal risk flagged: potential lawsuit; full audit trail required to demonstrate zero negligence
  • Time Doctor 2 HIPAA compliance under urgent investigation β€” screen recording may have captured PHI

6 Systemic Control Gaps Identified

1
Sales Intake Disclosure

Client did not disclose healthcare/PHI context. No OA validation layer to reconcile industry against JD. Franchise/LLC naming obscured true client identity. Intake recording not retained.

2
Training Trigger

HIPAA training only activated by explicit client request β€” not by industry tag. Account was tagged "healthcare" at requisition close but no training gate activated. VA entered without PHI handling training.

3
Scope Drift

Actual tasks were not re-validated against agreed scope during 30/60-day milestones. VA's position: the task involved in the breach was outside the scope of his training.

4
Tooling Disclosure

Time Doctor screen recording not specifically disclosed to client. HIPAA compliance of TD2's recording feature not yet confirmed for regulated clients.

5
Coaching Loop Closure

Client-side coaching of Dennis (ticket reviews, chats, meetings) was never surfaced to OA. Brandon chose not to escalate, treating Dennis as an internal team member. OA sessions did not probe for client-side concerns.

6
Self-Report Dependency

Weekly 1-on-1s relied entirely on VA self-reporting with no independent ticket-level verification. June 17 (all green) vs June 22 audit (50+ backlog) illustrates this gap acutely.

All outstanding action items as of June 26, 2026.

Time Doctor 2 HIPAA compliance investigation β€” screen recording in regulated environments
Owner: Stephen De Veyra Β· Security Lead
URGENT
NTE + Preventive Suspension β€” legal approval for Dennis Lacamiento
Owner: HR / Legal
Pending
Litmos HIPAA certification screenshot from Brandon Owens
Owner: OM Treve Gonzaga Β· Client: Brandon
Pending
Cybersecurity breach ticket documentation from ALTN (for OA compliance file)
Owner: OM Treve Gonzaga
Pending
Validate from device-wipe recording that Dennis did not download or forward PHI files
Owner: OA Tech / Service Delivery
In Progress
Final RCA document β€” Jessieca Gavilan + Pao + EM Β· Due CEO before June 26 noon
Owner: Jessieca Gavilan
In Progress
Confirm all ALTN system access for Dennis is fully revoked across all SaaS seats
Owner: OA Tech Β· Client: ALTN IT
Pending
Proactive security audit of other healthcare/regulated client VAs (e.g., ResPro Help)
Owner: Service Delivery, Account Managers
To Initiate
Mandatory HIPAA training gate β€” implementation for all existing healthcare accounts
Owner: L&D / Service Delivery
In Progress
Client decision on replacement VA β€” ALTN 2–6 week evaluation window
Owner: AM Maria Paola Apacible
Waiting
"And of course this now has me triggering and thinking about any of our other healthcare clients, like ResPro Help, or any others at all in this space. Whatever caused this issue or how we got to it, we need to quadruple down and proactively see anything we can do to get ahead of those issues."
β€” Brad Stevens, CEO Β· June 24, 2026