In July of this year, CTV News in Canada and DataBreaches.net reported on a breach involving Homewood Health in Canada. Both CTV and this site had become aware of the breach when data allegedly from Homewood showed up on a leak site called Marketo. Marketo claimed to have almost 300 GB of Homewood’s data for sale.
As is Marketo’s business model, they apparently first tried to get Homewood to pay them to remove the data from public access. When that failed, they started dumping small amounts of data as proof of claim and to increase pressure on Homewood to pay them.
And as is this site’s usual routine, DataBreaches.net reached out to the victim — in this case, Homewood Health — with questions about the incident. As more information and data became available to this site from Marketo’s site, those questions were expanded.
Homewood Health ignored all of this site’s inquiries. That is their right, of course, but by ignoring inquiries and opportunities, they deprived themselves of the opportunity to try to tell their side of the story or to provide a statement that would have made the use of any screencaps unnecessary. Instead they stonewalled and left this site in the position of using redacted screencaps to prove that this breach involved personal and sensitive information. It’s a shame that Homewood Health just didn’t acknowledge that forthrightly when asked repeatedly.
More than one month later, DataBreaches.net received a legal threat letter from Homewood’s external counsel — the Miller Thomson law firm.
The letter, which appears to be an attempt to intimidate this blogger and this site into destroying data and and chilling speech, contains patently false and defamatory claims about this blogger. I will respond to just a few of their allegations:
Your unauthorized publication of the Confidential Information and related unlawful actions constitute several violations of law, including but not limited to:
(a) conspiracy;
(b) defamation;
(c) extortion;
(d) unlawful interference with economic relations; and
(e) intentional infliction of emotional distress.
On July 21, 22, 23, and August 8, this site sent inquiries to Homewood seeking information and clarification about the breach. The inquiries were polite and contained no threats of anything, so it is not clear how Miller Thomson can claim that this blogger or site has engaged in any “extortion.” Nor is it clear how I allegedly “conspired” with anyone when I am a solo blogger. Does Miller Thomson consider getting information from a source “conspiring?”
Their other allegations are also refuted by the facts. Perhaps the lawyers just threw a bunch of allegations at the wall and hoped that some would stick?
The letter then goes on to make demands that basically attempt to censor reporting and decimate press freedom. Regular readers of this site already know how this site responds to attempts to chill speech and a free press.
So Homewood Health had multiple opportunities to issue a statement or to speak to me about the incident if they wished to try to have input to the reporting. They stonewalled this site and then resorted to legal threats. And they apparently convinced a court in Calgary to issue a court order. With all due respect to the Calgary court, I will not be responding to the court.
Great thanks to some terrific lawyers at Covington and Burling and Osler, Hoskin & Harcourt. Neither firm nor any of their employees are responsible for the opinions expressed in this blog post, however.
Any luck reporting them to the Alberta Privacy Commissioner?
What would I be reporting them for?