DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

How can we screw up incident response? Let me count the ways — Monday UK Edition

Posted on December 9, 2019 by Dissent

This week, DataBreaches.net was reminded yet again of the risks of trying to alert an entity to a breach. This time, it was not me who was threatened or any of the whitehat researchers I know. This week, it was a citizen who found patient records on the street in his town and undertook to report the breach to the responsible party. All he wanted was for them to take responsibility for the incident and retrain their employees to be more careful. Almost two months later, he has been threatened with prosecution and tells this site that he was fearful of even contacting this site to let us know what was going on.

But let’s start at the beginning…..

A man in the UK found records on the street of his town one day. There was more than one record and it took him weeks to figure out whom to notify, but he finally determined that the records likely belonged to Acacia Mews Care Home. Acacia Mews is run by Avery Healthcare Ltd. So in mid-October, “Joe” as we will call him, emailed Acacia Mews to inform them of what he had found. Getting no response, he emailed them again. “Is this one of your patients??” he wrote, attaching a copy of a record he had found in the street.

Acacia Mews’ Deputy Manager wrote back:

Many thanks for bringing this to our attention, yes this one of our residents, Yesterday we had our archiving company remove paperwork from the building.

Do you have the original? would it be possible for us to either collect it or for it to be dropped in at Acacia mews if you are local & were passing by.

Joe knew that the contractor wasn’t responsible because he had found the records weeks earlier, not the previous day. Joe wrote back again on October 20 (all spelling and typing as in the original):

i found it on the floor on reginald street in luton where i leave there is other papers too

What happened at that point is not clear to DataBreaches.net, as this site does not have the complete email chain. But on November 1, Julie Ricci, the home manager of Acacia Mews, wrote to Joe:

I have contacted the police regarding this matter.

Kind Regards

Julie Ricci
Home Manager
Acacia Mews

DataBreaches.net does not know why Ms Ricci contacted the police, but in any event, Joe did not seem worried by that email, and replied to them:

that good to know but why you no speak to youre staff??

to help you i copy in ico too

maybe u like me contact press too?

If it is not obvious from the partial exchanges, Joe believes that the data security breach was due to employees at Acacia Mews and not any third party, but so far, Acacia Mews and Avery Healthcare have not provided Joe with any statement about investigating staff or retraining staff or disciplining staff.

Joe did contact the ICO, and on November 4, received a proforma response. DataBreaches.net does not know if there has been anything further from the ICO.

On November 17, unhappy with their lack of what he thought would be an appropriate incident response, Joe contacted Julie Rizzo again:

hi julie

I did not hear again from you why patience information is on street

you have staff who leave on that street and where avery uniform everyday on they’re way to work but you like to blame other company

maybe avery founders like to answer why?

should i speak to press or cqc too before you teach you’re staff respect?

On November 29, Joe received an email from Jenny Drew, Data Protrection Officer for Avery Group Support Centre.

I’m embedding her attached letter below after redacting Joe’s name. Note how she appears to be suggesting that Joe — an individual —  has a duty under GDPR to return files to them as he doesn’t have their consent to have them.

AveryHealhcare_Letter_Redacted

Joe was not intimidated by Ms Drew’s veiled or not-so-veiled threat. He replied:

thank you jenny

glad that there investigation is being done

section 170 says as well It is also a defence for a person charged with an offence under subsection (1) to prove that (ii) with a view to the publication by a person of any journalistic, academic, artistic or literary material, and (iii) in the reasonable belief that in the particular circumstances the obtaining, disclosing, procuring or retaining was justified as being in the public interest.

i will get rid of records when investigation is finished

thanks

So Joe wouldn’t return all the records to Avery, and DataBreaches.net does not know whether Avery even knows how many records Joe picked up off the street. Joe tells DataBreaches.net that he put all the records he found in a bank for safekeeping. The one record Joe shared with this site as proof was, indeed, very sensitive, containing end of life palliative care notes for a named patient who was not expected to live long at that point.

DataBreaches.net emailed both Julie Ricci and Jenny Drew to ask for clarification, including why, on November 29, Avery Healthcare first stated that they “Will conduct a full and thorough investigation.” Why didn’t they initiate that full and thorough investigation on October 18 when Joe first contacted them? Why did they jump to blaming a contractor?

And why the veiled threat that he might be in legal peril if he doesn’t do what they want? Why should anyone contact entities to report leaks or breaches if they get threatened with prosecution? They’d be better just keeping the information to themselves, wouldn’t they?

Rather than trying to threaten him, perhaps Avery should have asked him if he would consider turning the records over to the ICO’s office.

In any event, this has not worked out well so far, it seems. DataBreaches.net did not receive any reply from Ms Ricci or Ms Drew, but may update this post if more details are obtained or if there are other developments.

Category: Breach IncidentsCommentaries and AnalysesExposureHealth DataLost or MissingNon-U.S.Of NotePaper

Post navigation

← Banner Health agrees to $6 million settlement over 2016 breach
Pensacola officials not sure if cyberattack related to shooting at naval air station →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Dutch Government: More forms of espionage to be a criminal offence from 15 May onwards
  • B.C. health authority faces class-action lawsuit over 2009 data breach (1)
  • Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • Data Breach Lawsuits Against Chord Specialty Dental Partners Consolidated
  • PA: York County alerts residents of potential data breach
  • FTC Finalizes Order with GoDaddy over Data Security Failures
  • Hacker steals $223 million in Cetus Protocol cryptocurrency heist
  • Operation ENDGAME strikes again: the ransomware kill chain broken at its source
  • Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials
  • Mysterious hacking group Careto was run by the Spanish government, sources say

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says
  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.