On November 12, DataBreaches published an OpEd, If entities continue to obfuscate and lie, it’s time to mandate more transparency in breach disclosures. Today, we post another example of why we need to legislate and enforce data breach notification laws that prohibit deceptive statements and mandate more disclosure when data has been leaked.
This week, external counsel for Endocrine & Psychiatry Center in Texas submitted a breach notification to the Maine Attorney General’s Office. According to the submission, a breach occurred “sometime prior to 03/20/2023” and was discovered on October 15, 2023. The incident was categorized as an “External system breach (hacking)” with the total number of people affected reported as 28,531.
The only claim that DataBreaches can confirm as wholly accurate is that the breach occurred prior to March 20, 2023. The remaining claims raised questions here, and since DataBreaches had some firsthand knowledge of this incident, let’s dive into the disclosure more. A copy of the notification letter sent to patients on November 14, 2023 appears at the bottom of this post. It begins:
“We are writing with important information regarding a recent security incident.” DataBreaches does not believe that an incident that occurred no later than least nine months ago and began possibly years ago should be described as a “recent” incident, and wishes such deceptive descriptions were prohibited, but that’s the least of the concerns with this particular notification.
“We recently learned that sometime prior to March 20, 2023, certain patient data may have been taken from our systems by an unauthorized individual.” Why “may have been taken?” Do they know and just aren’t being forthright, or if they don’t know, why don’t they know?
And does their reference to “(hacking)” on the submission form and “taken from our systems by an unauthorized individual” in their letter lead you to believe they were hacked?
This incident involved an unsecured blob that was discovered by a researcher. When the researcher was unable to determine who owned the blob so that he could alert them, he contacted DataBreaches for assistance. DataBreaches was able to identify the owner by looking at some of the exposed files. On March 20, DataBreaches called Endocrine & Psychiatry to alert them. On March 27, 2023, DataBreaches reported on the researcher’s discovery of the unsecured blob and DataBreaches’ role.
DataBreaches’ March 27 report was clear that the incident involved an unsecured blob that was exposing 682,000 records for an unknown amount of time before it was discovered by the researcher. This was a leak, not a hack.
Nowhere in the notification letter does the entity reveal or admit they had an unsecured blob.
If they actually discovered that data was exfiltrated by anyone other than the researcher or DataBreaches, then perhaps they could legitimately claim there had been a hack, but did they find that and report that to law enforcement, or was this just the leak that DataBreaches reported on March 27? The notification letter does not mention what the investigation showed with respect to how long the data had been exposed and whether there were any other accesses or downloads before the researcher discovered the exposed data.
Since reporting the leak in March, DataBreaches has heard from Dr. Patel’s lawyer at McDonald Hopkins, who informed DataBreaches that the doctor was diligently working his way through the time-consuming process of figuring out who needed to be notified. There was no mention of discovering any hack, and there was no suggestion that the doctor would try to report this to HHS and patients as anything other than an unintended data exposure.
Turning to another part of the notification, the submission to the state claims the date of discovery was October 15, 2023. That was not the date of discovery. The date of discovery was in March when DataBreaches contacted Endocrine & Psychiatry, and they saw that their data was, in fact, exposed at the URL that was provided to them to check. HHS has made clear what HIPAA means by date of discovery. By trying to tell people that the date of discovery was in October, a November notification sounds prompt. If you tell people the truth that you are first notifying them 8 months after you learned of the breach, they will probably be unhappy with you — and that’s exactly why the government or legislators need to crack down on entities misreporting the date of discovery.
Finally: were there really 28,531 patients affected? DataBreaches does not know for sure, but suspects there were many, many more. We know that there were more than 682,000 records in the exposed database. Even allowing for multiple records for patients, would it really be less than 29,000 patients? On its website, Endocrine & Psychiatry has a notification about the incident that is substantially similar to the letter mailed to patients, but we noticed the website version has this statement:
Out of an abundance of caution, we provided written notification of this incident commencing on or about November 14, 2023, to all those potentially impacted to the extent we had a last known home address.
So is the 28,531 the number who were sent letters or the total number of patients affected? Again, DataBreaches does not know whether the number reported to HHS really was the total number affected or only the number for whom they had last known addresses. But will HHS know?
Mistakes happen, but maybe HHS should take a look at what happened in this incident and see if the failures they recently fined DMS for also apply here. Did Endocrine & Psychiatry have an adequate risk assessment in place? Did they have policies in place that required them to check or audit the blob? Did they have necessary logs and tools deployed to secure the blob and to detect accesses or problems? Could they even determine when the blob was first left unsecured? Will HHS do a serious investigation into this incident and the incident response and disclosure?
Or should the FTC do it?
Earlier this week, Larissa Bungo, Senior Attorney at the FTC, wrote about the agency’s proposed settlement in the matter of Global Tel*Link. What Bungo discusses in What we have here is a failure to communicate…among other things is consistent with what DataBreaches has recently argued about misleading or incomplete notifications constituting an “unfair” act under the FTC Act. In the Global Tel*Link case, the FTC took action because the firm failed to adequately secure data despite assurances and representations, did not timely notify those affected, did not notify all those affected and only notified a small percentage of those affected, and was not truthful about the incident. Read the FTC article and the complaint that explains exactly what the FTC considered “unfair” in that case. Then, consider how those allegations and circumstances apply to the Endocrine & Psychiatry Center’s incident response and notification described in this post.
Examples of deceptive or misleading breach notification letters abound. Some are more dangerous than others in terms of potential harm to consumers. But it’s time that legislators and regulators crack down and do more to ensure that the real victims get the information they need to assess their risk, take steps to protect themselves, and decide whether they want to continue to trust the entity that was responsible for securing their information.
Endocrine_and_Psychiatry_Notification