Hospital Sends Legal Threats To Researcher, Then Asks For Her Help Identifying Breach Victims

from the sooooo-sorry-about-the-bullets... dept

Shooting the messenger is the most popular response to reported data breach, making the job of security researcher far more dangerous than it should ever be. The twist in the latest "shoot the messenger" story is the shooter coming back around to ask the shooting victim for help. Bad idea. Even if the body is still warm and breathing, it's probably not in the best of moods.

Dissent Doe runs databreaches.net, a site that covers all sorts of exposed data stories. Sometimes, Doe is asked by those discovering security holes to disclose the information to the affected parties. (See above paragraph for why.) In early May, Doe tried to alert the Bronx-Lebanon Hospital Center about confidential patient records left exposed by a contractor. The stuff exposed was deeply personal, containing write-ups of patients' substance abuse problems or mental illnesses.

This didn't go well. The hospital didn't want to talk about it or explain why a third-party had so much access to confidential health records, much less why it hadn't bothered to properly secure the hospital's database. One day after these mostly futile phone calls, someone (not specified in the post) contacted Dissent Doe to let her know the databases had been secured and thanking her for notifying them.

That should have been the end of the story. But it wasn't.

It was a brief honeymoon. On May 9, Kromtech published their report and I published my first report on the incident without any statement from the hospital or vendor, neither of whom had provided a promised statement.

Then on May 12, coordinated threat letters arrived via email from external counsel for both iHealth and Bronx-Lebanon Hospital. DataBreaches.net understands that Kromtech Security also received similar letters.

I’ll let that sink in for a minute: they threatened a person who went out of her way to alert them they were leaking protected health information. Instead of saying, “Thank you so much, and can we also ask you to please securely destroy any data you might have in your possession?” they sent me threat letters.

The stupid, angry letters contained stupid, angry threats. First, the letters accused Doe of improper access. Then they went on to demand she and everyone else in possession of this data delete it and send a certified letter (or something) back to the hospital and vendor confirming the destruction of the data. They also demanded she reveal her sources and not post anything further about the breach.

Doe didn't think much of the demands, but she did retain counsel just in case. An angry, non-stupid response letter from her legal rep changed the tone of the demands into more polite requests. Not that the change in tone won Doe over. A bridge only needs to be burnt once to render it useless. And, in one sense, the angry, stupid threat letter did work: while Doe didn't cave, it appeared that Kromtech did delete the data it had discovered. That resulted in a problem.

Apparently, the hospital and vendor forgot about their earlier bridge-torching efforts. They approached Doe again, this time asking for help identifying which patients had had their personal info exposed in order to notify them.

Now the entities could just notify everyone who had PHI/PII on the server, of course, but it seemed like they were trying to narrow the universe to only those whose data wound up in Kromtech’s hands – or this site’s – or NBC News’ hands. And now Kromtech could not tell them which patients had data in the 500 mb of data they had downloaded and then destroyed.

But Kromtech had sent a subset of that data to DataBreaches.net, who had not destroyed the data it possessed. If DataBreaches.net wanted to be helpful, it could go through all the data and let the entities know which patients had data in there, right?

But why should Doe do this? The two affected entities had already expressed their gratitude using legal threats, not exactly the best foundation for future collaborative efforts.

I might have been able to spare the vendor and hospital some notifications if I was willing to donate my time to going through files to compile information for them, but I’m not willing.

I’m not willing, in part, because I do not want to be going through PHI if it’s not for my reporting purposes. And I’m not willing because why should I have to spend my valuable time compiling information for entities that tried to bully me and who now need my help to help them clean up their mess??

Shooting the messenger kills potential allies. But far too many entities think it's better to shoot first and live with their regrets later. Security researchers aren't the enemy of privacy, but they're often treated as criminals and malcontents by entities who have screwed up their own security efforts.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    TechDescartes (profile), 13 Jun 2017 @ 9:20am

    Hmm

    Apparently, the hospital and vendor forgot about their earlier bridge-torching efforts. They approached Doe again, this time asking for help identifying which patients had had their personal info exposed in order to notify them.

    I doubt they forgot their earlier bridge-torching. I smell a rat. They probably have enlisted law enforcement and want Doe to turn over the data to prosecute. Because somebody's got to go to prison and it's not the hospital, right?

    reply to this | link to this | view in chronology ]

    • icon
      sigalrm (profile), 13 Jun 2017 @ 11:09am

      Re: Hmm

      More likely, it's this:

      Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.

      (from https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html)

      My money is that they're trying to pare down the scope of the breach to get under that 500 record mark, so that they don't have to go on the 5:00 news to advertise it.

      reply to this | link to this | view in chronology ]

    • identicon
      peter, 13 Jun 2017 @ 11:38am

      Re: Hmm

      Yep. My first thought was along the lines "they are asking her to send the data so they can 'prove' she has access to confidential information in order to prosecute".

      reply to this | link to this | view in chronology ]

    • icon
      DB (profile), 13 Jun 2017 @ 11:43am

      Re: Hmm

      It's likely that they have contacted law enforcement, which is pursuing this as 'receiving stolen property'.

      Turning over the names would serve the dual purposes of confirming 'possession' and limit the number of people they will need to contact.

      It's not important that there was no crime committed, and no conviction possible. Just putting someone through the criminal system is an effective punishment -- expensive, time consuming and embarrassing punishment.

      reply to this | link to this | view in chronology ]

      • identicon
        Jesus, 13 Jun 2017 @ 8:19pm

        Re: Re: Hmm

        That is an unlikely explination, as she has already confirmed the data was accessible and there is a record of this, they don't need to go through any convoluted steps to prove this.

        They just wanted to tell as few patients as possible that their data had been breached to save face.

        reply to this | link to this | view in chronology ]

    • identicon
      John Nelson, 14 Jun 2017 @ 6:23am

      Re: Hmm

      No. If law enforcement were behind this, they'd have showed up with a warrant and taken the researcher's computers, mobile phone, game console and DVR. This was almost certainly an attempt to limit the scope of the notification effort required under the Breach Notification Rule.

      reply to this | link to this | view in chronology ]

  • icon
    orbitalinsertion (profile), 13 Jun 2017 @ 11:19am

    On the one hand, she needs to do nothing more than send back the portion of data she received from Kromtech. Hardly an effort.

    On the other hand, all this does is show what data (or a subset thereof) security researchers had, which is pretty pointless.

    If they really want a number, they can fairly well guess within a range from the size of the data originally downloaded. But the real point is, their entire db and who knows what else, was exposed. They need to be concerned about other parties who may have found this and copied more than a sample of the db. Funny their internal filesystem hasn't kept notes.

    reply to this | link to this | view in chronology ]

  • identicon
    JJ, 13 Jun 2017 @ 11:32am

    hospitals like this

    All security researchers should keep a list. If entities respond like this to assistance, then all future notices should go to the entity and to the news organizations on first notice.

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 13 Jun 2017 @ 12:10pm

    lETS SEE...

    Wow,
    Lets ask...
    WHO would you rather get a notice from a lawyer??
    An agency trying to help, and ISNT COSTING YOU MONEY..
    OR to have a consumer, that is protected by TONS of privacy laws, that has found his PRIVATE RECORDS ON THE NET??

    WHy do we make it so Hard to be NICE..to be fair..
    It costs little to nothing to be nice, unless they want to PUT you in jail..

    Strange concept by SOME FOLKS, is that WE/YOU/I are the only smart people in the world, and NO OTHER person will figure this out..
    Who to blame? You have an Automated system, and SOMETHING didnt close an Access point..

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jun 2017 @ 12:35pm

    At $50,000 per violation with an annual cap of 1.5 million maximum civil penalties on the line, it's no surprise they'd rather claim they were hacked.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 13 Jun 2017 @ 1:26pm

    "Yeah, no."

    In her shoes I'd send back a letter 'reminding' them that they made it abundantly clear that they didn't want her to have anything to do with the data, and as such she has no obligation or interest in assisting them in their CYOA efforts.

    If they want to try to find out who had their data compromised that is entirely on them, they already made clear how they respond when people try to help them.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Jun 2017 @ 1:58pm

    "about confidential patient records left exposed by a contractor."

    I think the biggest crime here is taking the private (and complexly protected by HIPAA compliance) and letting the lowest bidder handle the security of said records. I mean if you give me a hundred thousand dollars I'm not going to go hire someone on Craigslist to build a shed to keep it in.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 13 Jun 2017 @ 3:59pm

    Dissent Doe, should turn the data over to the legal branch charged with oversight, stating it is only a small portion of what was available, they could have supplied more but baseless legal threats to those who discovered it resulted in that data being removed, removing evidence of how horribly the hospital and vendor screwed up.

    So they leaked data they are legally obligated to keep secure, demanded destruction of evidence of their failure, & now are trying to get the number as small as possible to not have to pay for fucking up. I see felonies there, perhaps a DA would agree.

    For the bonus round not only did they fail to secure the data, they had no controls or logs to show them who accessed what files.

    Much like needing a Federal Anti-SLAPP law, we need a law to shield researchers who discover & properly disclose leaks. Using a series of other researchers, who often have to work hard to be taken seriously & then deal with baseless threats, there should be a solid clearing house on some level.

    A clearing house that informs the leaking entity, discloses a leak happened, verifies its been secured, & notifications are wide ranging. We can't keep expecting people to do this out of the goodness of their heart when they are often attacked & threatened with legal hassles for being responsible messengers.

    It is obvious that the laws we have in place to protect this data don't have strong enough punishments. Perhaps multipliers to the fines (and civil suits) might get them to think paying for security is cheaper than the liability of saving a couple bucks.

    reply to this | link to this | view in chronology ]

    • identicon
      Rekrul, 13 Jun 2017 @ 4:12pm

      Re:

      Dissent Doe, should turn the data over to the legal branch charged with oversight, stating it is only a small portion of what was available, they could have supplied more but baseless legal threats to those who discovered it resulted in that data being removed, removing evidence of how horribly the hospital and vendor screwed up.

      I have a better idea: How about going through the files to find the identities of the people whose information was exposed and contacting them directly to let them know that the hospital leaked their private information. Not only are the affected people informed, the hospital will probably have several rather pissed off patients to contend with and might even find itself on the receiving end of lawsuits.

      reply to this | link to this | view in chronology ]

      • icon
        That Anonymous Coward (profile), 13 Jun 2017 @ 11:26pm

        Re: Re:

        People sue over all sorts of things, turning the data over to authorities should result in those they have data for being contacted. The problem is no one can say how much was taken by other people, so it would be safer to notify everyone.

        I know this situation, I'm "That Anonymous Coward" and it took me WAY to much effort to be taken seriously. If I emailed random people and said I saw your leaked medical info... what would be the response? A visit from one of the acronyms I am sure. Then I have to convince the acronyms I'm not a hacker, threat, terrorist, or anything else their small minds decide. Much easier for me to use a trusted conduit to put the data into the hands of authorities and walk away. (but keep an eye out for notifications & reporting).

        reply to this | link to this | view in chronology ]

  • identicon
    Rekrul, 13 Jun 2017 @ 4:19pm

    CSI Cyber

    Back before it was canceled, the show CSI Cyber did an episode about a murdered hacker. At first everyone thinks that they were a criminal, but it turned out that they were only looking for security vulnerabilities so that they could report them. At the end of the episode, they inform the hacker's relatives that not only was the hacker a "good guy", but they've inherited the information that the hacker was killed for. They're told that the company will be grateful to learn of the vulnerability and that they will probably pay them a large sum of money as a reward.

    Right after the episode aired, I went online to post that they were more likely to have CFAA charges filed against them.

    reply to this | link to this | view in chronology ]

  • icon
    Norahc (profile), 13 Jun 2017 @ 9:03pm

    "They just wanted to tell as few patients as possible that their data had been breached to save face."

    Should have thought about saving face before they fired off legal threat letters. A lot of people are willing to forgive the incident, but not many are willing to forgive the cover up.

    reply to this | link to this | view in chronology ]

  • identicon
    oliver, 13 Jun 2017 @ 10:41pm

    This story sooooo much calls for a viscious takedown by Popehat towards those stupid lawyers threatening the source. Including with the classic response "snort my taint"!

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.