- Vendor’s mistake potentially exposed “millions” of Bronx-Lebanon Hospital patients’ information;
- Hospital and vendor try to claim that iHealth Solutions was “hacked” by security researchers who uncovered the security problem;
- Hospital and vendor issue series of demands, threaten DataBreaches.net for reporting on incident;
On May 3, Kromtech Security’s research team, conducting routine research, found that confidential and sensitive patient information was exposed on a misconfigured rsync backup device. As best as they could determine, the data were from patients of Bronx-Lebanon Hospital Center in New York City, but the vendor responsible for the backup device was iHealth Solutions.
As is also their practice, Kromtech downloaded some of the data for verification and research purposes, then attempted to notify the entities. Kromtech generally does not go public with their findings until after they have been able to reach an entity to ensure that the data are secured.
When Kromtech was not able to reach anyone on May 3 to notify them, they contacted DataBreaches.net to request assistance in trying to contact the vendor or the hospital. It took some time – including some frustratingly long calls to the hospital to try to reach an actual person – but eventually, messages were left for both the vendor and the hospital that they had a problem requiring urgent attention.
On May 4, I was gratified to receive several phone calls confirming that the data had been secured and thanking me for my efforts to notify them.
It was a brief honeymoon. On May 9, Kromtech published their report and I published my first report on the incident without any statement from the hospital or vendor, neither of whom had provided a promised statement.
Then on May 12, coordinated threat letters arrived via email from external counsel for both iHealth and Bronx-Lebanon Hospital. DataBreaches.net understands that Kromtech Security also received similar letters.
I’ll let that sink in for a minute: they threatened a person who went out of her way to alert them they were leaking protected health information. Instead of saying, “Thank you so much, and can we also ask you to please securely destroy any data you might have in your possession?” they sent me threat letters.
Their letters began by trying to suggest that my license as a psychologist might come into play or jeopardy:
As a New York licensed psychologist, you are well aware that confidential patient information is protected under federal and state laws which provide severe penalties for unauthorized access to and publication or other misuse of such confidential data.
Were they really suggesting that I might suffer “severe penalties” for publishing redacted evidence of their security failure when such failures are a matter of great public concern? Seriously? But then came their “DEMANDS:”
(a) You immediately return to the Hospital any and all copies of this confidential data or provide a written statement that you have destroyed any and all copies of such confidential data, including any such data attached to emails, posted as images (redacted or otherwise) on internet pages under your control, and in any and all other forms or locations over which you have control;
(b) You immediately inform us of any person or entity with whom you shared this confidential data and secure the return to us or a written statement of the destruction of any and all copies of such confidential data;
Well, neither of those are going to happen, so let’s continue….
(c) You immediately describe to us how you received this confidential data (for example, downloaded it from the internet, a hard drive, thumb drive, CD, etc.), and describe how you sent this confidential data to any other person or entity; and
How adorable is that – that they think they can demand I reveal my sources and methods for a story?
(d) You immediately cease and desist disclosing, distributing or sharing any of such confidential data with any person or entity.
So I must immediately cease and desist committing journalism? I don’t think so.
Please be further advised that our client is working with law enforcement officials in the investigation of these unauthorized and illegal acts.
Hopefully, law enforcement will hand the hospital and vendor a cluestick. It’s bad enough that either would try to suggest that they were hacked by claiming “unapproved access” or that they might try to suggest that Kromtech broke any law, but to claim that me reporting on a leak is unlawful, well, that’s totally meritless. Even if Kromtech had done something illegal in acquiring data, DataBreaches.net did nothing illegal in using data it was given. The Supreme Court considered that type of issue in Bartnicki v.Vopper, remember?
The threat letter added: “We caution you to take this letter seriously and immediately act to mitigate your legal and professional risks.”
Well, I did take it seriously. And I got seriously ticked off that the Bronx-Lebanon Hospital Center and iHealth Solutions seem to have no grasp of press freedom or New York State law protecting a free press. So I contacted one of my favorite First Amendment lawyers, and happily for me, some great lawyers at Covington & Burling fired off a stern letter to the hospital’s and vendor’s law firms. And I hope that’s the end of those firms’ ridiculous threats.
Heartfelt thanks to Kurt Wimmer, Jason Criss, Stephen Kiehl, and Dena Feldman of Covington & Burling. You are this blog’s heroes and your support is what makes it possible for us “little guys” to keep committing journalism.
Ingrates. File a complaint with Office of Civil Rights (OCR).
https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf
This is staggering tone-deafness. Any new cybersecurity legislation should include provisions that anyone who shoots the messenger can either A) attend 40 hours of information security awareness training, or B) get slapped in the face every morning for a year.
yes, let OCR get them for fines. that would be great.
Can we see the letter your legal sent in response? Fewer things are more enjoyable to read than a lovely crafted bitchslap response to oppressive corporate C&D letters.
Nicely done.
I would have added they can pick up the unredacted patient information from HHS and the New York AG’s office because that’s where I sent it right after receiving your B/S C&D letter!
Their ignorance is exponential. A sure head-shaker post. Thanks for being the messenger.
It should be axiomatic that if you’re threatening a cyber-samaritan, you’re doing incident response oh so very wrong.