Today’s “No Need to Hack When It’s Leaking” episode is actually an update on a leak where DataBreaches did not name the entity at the time because the leak had not been secured. It still hasn’t been secured. Now the entity is reportedly attempting to tell the U.S. Department of Health & Human Services that they were never contacted by any of the entities that had contacted them, that it’s not their bucket, and that someone else must own that bucket. Grab your favorite beverage and read on…
In 2022, DataBreaches filed a watchdog complaint with HHS about a leak of patient information. The patient data appeared to be from a Florida nursing services entity and was exposed in an unsecured Amazon bucket. Attempts by multiple entities to alert the Florida firm to the leak were unsuccessful, as outlined in our previous post.
This week, I learned that the entity was telling HHS investigators that they had never been contacted by any of the entities I named in my complaint and that it wasn’t their bucket and maybe I had the wrong entity.
HHS asked me if I could send them evidence to support my claims.
So I started searching thru my files and contacted Jelle Ursem, one of the researchers who had reported discovering that leak and who had called the entity twice trying to disclose responsibly, to no avail. I also contacted Blue Cross Blue Shield and asked if they had logged their phone call to the entity.
Ursem had called the entity and had a phone log of the call to the phone number listed on the entity’s website.
I had a copy of the email I had sent the entity and a copy of the draft report that Ursem had prepared for them and that they would have received if they had ever called him back.
Blue Cross Blue Shield’s intel team had a phone log that showed the date, timestamp and phone number they had called. And they remembered the call because the woman asked them who they were and when they told her, she said thank you and just hung up.
As of today, the bucket is STILL unsecured. And in that bucket are oh-so-many files with the entity’s name, address, and telephone number — the same telephone number that we all called and the same domain that DataBreaches had emailed.
If the bucket is not theirs, it’s likely a vendor’s, as I pointed out to them in my original email of December 2022, but it’s still their patient data and responsibility.
HHS has plenty of evidence linking the files in the bucket and the bucket itself to this entity. I told the investigator that I was not withdrawing my complaint and someone had a lot of explaining to do to them.
I hope HHS doesn’t give them a pass on this one. Not after so many people tried to alert them and a bucket with protected health information has been exposed for 4 years.