Berkeley HeartLab (a Celera business) notified the New Hampshire Attorney General’s Office that in late September of this year, it learned that a former employee had accessed patient data in “2008 and/or 2009.” The employee subsequently went to work for an unnamed competitor, and BHL believes that the employee took the data for competitive purposes and not for purposes of identity theft. The data accessed included names, addresses, dates of birth, lab tests run and results, and Social Security numbers. The total number of patients whose data were acquired was not reported but 8 residents of New Hampshire were affected.
I did some digging into this breach and discovered that BHL had filed a lawsuit in January 2010 against Health Diagnostic Laboratory, Inc., and several former employees for trade secret violations and breach of contract. You can read about the lawsuit on Trade Secrets and Noncompete Blog. Of relevance here, their coverage notes:
While unclear from the court papers, it appears that Berkeley’s support for its CFAA claim is its allegation that two individual defendants accessed their Berkeley work computers without authorization, or in excess of their authorization, while still employed by Berkeley, to remove data to benefit Health Diagnostic.
I kept digging and found that in April 2010, there was a settlement agreement in the case, but the parties were not done with each other, it seems. On July 26, 2011, Health Diagnostic Lab filed suit against BHL and Celera for allegedly breaching the terms of the settlement agreement.
In any event, looking at the docket for the original lawsuit in terms of when they got around to post-settlement discovery, it seems likely that BHL first really got solid information about their former employees’ conduct through the discovery process in September 2011.
If BHL needed the discovery process to find out what former employees had accessed in excess of their authorized access, then I’d love to know what kind of logs or auditing system they had in place in 2008 and 2009. Surely logs would have reflected an unusual amount of data being downloaded, no?