Nate Raymond reports:
The FBI views companies hit by cyber attacks as victims and will not rush to share their information with other agencies investigating whether they failed to protect customer data, its chief said Wednesday.
Christopher Wray, director of the Federal Bureau of Investigation, encouraged companies to promptly report when they are hacked to help the FBI investigate and prevent future data breaches.
He contrasted the FBI’s approach to that of other regulators and state authorities. Without naming other agencies, Wray referred to “less-enlightened enforcement agencies,” some of which he said take a more adversarial approach.
Read more on Reuters.
Cough Cough.. HIPAA… Cough Cough… Office of Civil Rights and Health and Human Services… Cough Cough.
Take something for that cough and wait a second. 🙂
Is it really the FBI’s role to snitch on companies to HHS? Would we rather have the FBI in the dark or have them informed even if HHS isn’t told by them? It’s the breached entity’s responsibility to disclose to HHS. I don’t see any need to make it the FBI’s responsibility.
Not everything is a cyber attack. And yes, I think law enforcement should make sure that patients are notified. If you were a patient, and your info was found to be on google, and the FBI knew, and the covered entity never told the patients, wouldn’t you think that was a problem? =)
I understand your point and of course, I’d want to be notified. But: if entities don’t reach out for help or share info because they are afraid of being ratted out, then aren’t patient data going to continue to be at risk or even more risk?
Is this actually once of those “balancing” scenarios? 🙂
Like this for example:
https://www.databreaches.net/ny-treasure-trove-of-grand-street-medical-associates-patient-data-exposed-and-indexed/
=)
That’s not a great example. This was reported in the media and to HHS. There was no need for FBI to report anything to HHS at all, was there? The issue here, perhaps, is why didn’t HHS/OCR do anything about this one?
“ratted out” or “snitching” reminds me of what I learned when I was younger. I was taught (when I was younger I had to go to a state run rehabilitation center) that, that line of thinking, dives into criminal behavior and thinking. The concept of a “ratting or snitching” on someone means that you know of a crime, but decided not to tell the authorities or to “do the right thing”, by society.
=)
I have a friend on facebook, that has another friend who said they were a patient of record and Grand Street and still wonders why patients were never notified, as they were\are a patient. But this is hearsay. So…. something went wrong.
“That’s not a great example. This was reported in the media and to HHS. There was no need for FBI to report anything to HHS at all, was there? The issue here, perhaps, is why didn’t HHS/OCR do anything about this one?”
But I don’t think patients were notified that information ended up in google, and the FBI has the evidence. The seized it during a raid. They have seized more dataleaks that were found in the public, yet patients seem rarely notified. I would say the FBI is protecting covered entities more then patients.
I understand why you say that, but recall that I posted proof of the leak, so HHS could have pursued this one on their own initiative without needing the FBI’s assistance or info at all.
So I’m just as confused as you as to why this was never disclosed to patients. And of course, we have no way of knowing how many criminals may have accessed the exposed data. Hopefully, none, but do we know if the entity even had logs or analyzed them? There’s too much that wasn’t made public about the response to this incident.