CORRECTION AND UPDATE: See this email and documentation from Professor Bowne.
It seems that the media reporting on a breach involving patients at E. A. Conway Medical Center was inaccurate in some important respects, with the inaccuracies stemming from the Louisiana State University Health System‘s notice about the breach.
To summarize: Professor Sam Bowne of City College – San Francisco discovered an FTP exposure via a Google search and responsibly notified LSU of same on June 17.
While what LSU subsequently wrote in its notice, i.e., that the professor had “successfully accessed a server” was somewhat correct, other statements in their notice were misleading or inaccurate. It was not true that he did this in the context of teaching a class, he did not disclose it to anyone other than LSU until after the server was secured, the breach did not occur on June 17, and he did not do it by hacking, which the phrase “accessed a server” might suggest to some readers.
Coverage in TheNewsStar compounded the problem, and SC Magazine‘s coverage compounded it even further by specifically headlining that this was a hack.
Although he was not named in their statement or early media coverage, Bowne’s employing college was named, and John Paffenbarger of Definitive Data Security contacted Bowne’s employer to urge them to investigate the alleged hack and to denounce it. Whether Paffenbarger was involved with LSU or just did this on his own is unknown to me, but it is the type of complaint that could get a faculty member fired – if the allegations were true. In this case, they were not true, but the bad press the college received over what many construed to be a hack and Paffenbarger’s email to the college likely created some headaches for Professor Bowne.
On Friday, Professor Bowne filed a complaint with HHS against LSU, alleging they retaliated against him for filing a HIPAA complaint. In his correspondence, he provides copies of communications and the media reports.
I could be very wrong, but I don’t think HHS will take action against LSUHealthNewOrleans under the retaliation prohibition of the law, although they might take enforcement action over the breach itself and what might be a misleading or incomplete notification.
But why did LSU get their notice so wrong? It’s crystal clear from Bowne’s notification to them that the breach didn’t first occur on June 17 and he clearly stated he discovered the FTP breach via a Google search. Why didn’t they write a more accurate notice, and why did they say it was in the context of his teaching and a “demonstration?”
With respect to the last point, Adam Greenberg of SC Magazine reports:
Andrew Conkovich, chief compliance officer at University Health, told SCMagazine.com on Friday that the line, “demonstrating potential vulnerabilities of computer system[s] to his class,” was included because Bowne posted his findings – including the email he sent and images with redacted information – to the website he uses for his classes shortly after the FTP site was gone, as well as posted about it on Twitter.
So what if Bowne did share his redacted findings with future students after the server was secured? That doesn’t justify what LSU reported, in my opinion. Bowne even attempted to redact the identity of LSUHS in his posting for his course, although one failure to redact does identify “LSUHS.”
On Friday, SC Magazine posted a clarification without actually calling it a correction. They did not apologize for their error. The NewsStar does not seem to have corrected their post about the breach. Nor has LSU corrected its notice. In fact, I can find no breach notice linked from the homepage for E. A. Conway (LSUHS/Shreveport). Bowne comments on the updated situation here.
PHIprivacy.net apologizes for potentially contributing to Professor Bowne’s distress by quoting The NewsStar‘s coverage. I hope this now sets the record straight.
Original post, which was an excerpt from The NewsStar’s report, deleted so as to not perpetuate false information about the incident or the discoverer of the breach.