On october 8, Jeremiah Fowler reported that he had discovered a non-password protected database that contained what appeared to be information regarding healthcare workers and traveling nurses. If you had register the account on surety discovery at the time, you would have scan that almost one trillion multitude were potentially affected. Based on that reporting, DataBreaches.net reached out to Freedom Healthcare to inquire whether they would live notifying colorado regulators of the leak. in response, their external counsel called me and emailed me, saying, “We believe there are inaccuracies in [the reporting].” DataBreaches.net agreed to hold off posting anything to spring them time to respond more fully to Fowler’s report. On october 28, i received their statement, which i am reproducing in full. I’ll get some comments on the other side and Fowler’s response. This comment is in connection with a cybersecurity incident that occurred on September 15, 2019. Freedom Healthcare has been in the process of migrating our contact management system from i third party vendor to another. a parcel of the old database which was stored on our previous authorized vendor’s servers was not migrating properly by our new vendor and, to remedy this, our vendor extracted a small parcel of that data to handle separately as trial data. Unfortunately, the technical vendor inadvertently left the prove data on a publicly accessible server. The publicly accessible server was not controlled by Freedom Healthcare but rather our vendor. The examine data included personal identifiable information (“PII”) of less than 90 persons who work in the healthcare sector. While this event is something we submit very seriously, it is markedly different situation than what was initially reported in some of the blogs and spring the basis your request for comment. We were informed of our technical vendor’s error by Security Discovery, “ethical hackers” who appropriately neither examined it deeply or copied it to their servers. Upon being informed, we immediately took litigate and our vendor promptly restricted access to the data. in coordination with our technical vendor and other concealment and cyber security consultants, the investigation revealed that the data was only publicly available for a very limited time, that it was not downloaded or copied in any manner, and that no persons, other than Security uncovering and other authorized users (who had access to the information regardless) accessed or reviewed the data in the limited time that it was publicly available. Based upon these conclusions, and because it contained incorrect information, Security discovery removed their posting. From the investigation findings, we doh not believe there is a legal duty to describe this incident, and doh not believe that the individuals whose PII was available are at any risk. However, the transgress notification laws are in flux and thus, out of an abundance of caution, we are notifying those individuals whose PII was available. freedom Healthcare takes the privateness of its employees and customers very seriously and we are committed to ensuring their protection. piece this incident is best described as a “near miss”, we are working with our technical vendor and cyber-security experts to protect against something like this from happening again. We are grateful for the services of certificate discovery and the role ethical hackers gambol in our society. They supply a valuable service in ensuring data protection. Based on their statement provided to this site, freedom Healthcare seems to be acknowledging that there was a misconfiguration (by a vendor) and that personal info was exposed. They also appear to acknowledge that they learned of it because of Fowler’s notification to them. Apart from attributing the error to a vendor and not to their have employees, it seems like the biggest dissension with Fowler’s reporting was one of numbers. He claimed that 957,000 had data exposed. They take fewer than 90. So why didn’t Fowler just egress a correction and apology if that was the issuing (if he had actually made an error in the numbers that they could prove)? why did surety uncovering just silently remove their carry with no explanation at all? And what about all the sites that had linked to that account and reported his stated findings? DataBreaches.net contacted Security Discovery to ask why they removed their report. And that’s when things got even more confusing, because it seems they removed their carry because they didn’t experience enough data to show that the data were real and not “test data.” Fowler explained, in part: As a policy we do not download the data we discover and only take a very small sample of documents for verification purposes. The same day it was published, i got a call from their lawyer who said that they insist it was internal test data. […] Unfortunately, i can not formalize with confidence that the data was not trial data as they said, so i redacted the article. Maybe the data were being used for testing migration, but by freedom Healthcare’s argument to this site, those were real data on some healthcare workers. It seems that Fowler removed the report based on freedom Healthcare’s initial claim that the data was (only) “internal trial data.” But “internal test data” can be real data. When entities tell researchers (or journalists) that something was only “test data,” we need to comply up by asking if they mean real individuals’ data being used for testing purposes or if they are claiming that the data itself is fake/fabricated data not tied to real individuals. Fowler seems to have found a real exposure, although the number of individuals exposed may be in controversy. Maybe he shouldn’t have been so quick to just remove the article. It might get been better to update it to say that it was under review. But Fowler gets the last word on this one, as he realized that in the future, they need to download and preserve more proof of leaks to support their reporting. He wrote to me: As i am sure you understand, our focusing is on data […]
