Prosecution drops five felony charges against Justin Shafer, accepts plea to one misdemeanor charge
In May 2016, the Dallas FBI raided dental integrator and independent researcher Justin Shafer because of allegations that he had accessed an FTP server without authorization. Shafer was subsequently raided twice more, and in March 2017, he was arrested and charged with stalking a federal employee – not hacking or any criminal conduct related to hacking, but stalking a federal employee. Over the next year, the prosecution would pile on more stalking counts in superseding indictments so that Shafer wound up facing five felony charges. But today, the government’s attempt to prosecute Shafer as a dangerous FBI-stalking villain ended with a whimper instead of the bang the prosecutor hoped for. This morning, Shafer pleaded guilty in federal court in Dallas to one misdemeanor count of retaliating against a federal official by threatening a family member. As part of the plea deal, Shafer was sentenced to time served. Shafer had spent almost eight months in jail when his pre-trial release was revoked by Magistrate Judge Toliver for blogging, which was deemed a violation of his conditions of release. Shafer’s defense team, consisting of Tor Ekeland and Fred Jennings at Tor Ekeland Law and Jay Cohen at Blass Law in Texas, had appealed the revocation, writing, in part: The factual bases of the government’s bare bones indictment are a handful of public tweets; a Facebook friend request and message sent to a public Facebook account; the following of a public Twitter account;1 and two emails to an FBI Agent – one with a “?” emoji and another inquiring about the status of a report of a patient privacy violation. The Defendant made no attempt to mask his identity, and the FBI never contacted the Defendant to express any concern or to ask him to stop his communications. Instead they arrested him. And any claim that he engaged in a sustained course of conduct with a continuity of purpose to cyberstalk or threaten are ludicrous when compared to facts embodied in the case law regarding these statutes. These accusations led to a pretrial release order so broad it functioned as a prior restraint on Mr. Shafer’s constitutional right to speak about the accusations made against him. When he sought to do so – through a post on his work-related blog – the magistrate judge revoked release, broadly interpreting the release condition terms and finding a violation of those conditions. An innocent man — who the government has not charged, and cannot charge, with any violent crime, nor with any history of violent crime — is now in jail on the basis of protected speech. Judge David Godbey firmly agreed with the defense that Shafer had had a right to blog, and Shafer was re-released in December, 2017 to await trial. And the case probably would have gone to trial had it not been for Judge Janis Graham Jack letting the prosecution know that she saw no evidence of any threat to support the felony charges and that she might rule on the defense’s motion to dismiss if the prosecution didn’t come up with some reasonable plea deal. Today’s plea deal was partly the result of Shafer holding firm that he would not just plead guilty to any felony. After a plea agreement was reached, Shafer’s defense team issued the following statement: Mr. Shafer first contacted us after he [was] raided by armed federal law enforcement for alleged computer crimes the government has never charged him for. When he complained to the government about it, he was arrested and thrown in jail for his criticism. He was freed after the defense filed a motion arguing his pre-trial detention violated the First Amendment. Fortunately, when presented with the facts of this case, the Court understood the magnitude of the issues here and helped us resolve this case without the hassle, expense, and stress of a jury trial. We are grateful to the Northern District of Texas for recognizing this case for what it was: an attack on internet free speech and a citizen’s right to criticize the government. Under the terms of today’s plea deal, Shafer has agreed to have no contact, either personally or through any associates whatsoever, with Special Agent Nathan Hopp of the Dallas FBI or any of his immediate or extended family members. The no-contact agreement also applies to Judge Jeffrey Cureton, his staff or any of his immediate or extended family members. There never was any evidence that Shafer had ever physically approached or physically assaulted anyone. Nor was there ever any clear evidence that he had even threatened to approach anyone physically. Even the misdemeanor charge appeared to be a stretch far beyond the available evidence. For its part, in addition to moving to dismiss all the remaining charges against Shafer, the government agreed it will not criminally prosecute Shafer for any charges relating to the investigation of the alleged unauthorized FTP server access in the Patterson matter that led to the May 2016 raid. What Now or Next? Prior to today’s hearing, DataBreaches.net had asked Shafer if he felt that justice had been served in the anticipated plea deal. Shafer responded that after his ordeal, he now believes that justice is just “an illusion.” His experience has also chilled his willingness to try to protect patient data. When asked in email if he would resume his efforts to find leaks and notify entities so they could secure the data, he replied: I think the next time someone finds social security numbers that is considered protected health information under HIPAA they should just turn a blind eye. Nobody is going to call you a hero (except the enlightened), and you run the risk of being harassed by the FBI. Doctors responsible for alerting patients will now have yet another reason not to. Already, only about 10% of doctors notified patients that their patient information was publicly available. Law enforcement or the Office of Civil Rights won’t care, and will most likely ignore it. Punishing health information researchers for reporting these issues only puts patients at greater risk. I think it would benefit society greatly if people who find publicly accessible data were […]
Superseding indictment filed in Justin Shafer case
As anticipated, federal prosecutors have filed a superseding indictment in their case against dental integrator and vulnerability researcher Justin Shafer. For those in a rush, the TL;DR version is that they have basically transformed a bullshit two-count indictment into a bullshit three-count indictment. [For the benefit of law enforcement in Texas, that preceding sentence is considered opinion and protected speech, as much as you may dislike it.] The superseding indictment adds one more count of stalking to the previously filed two counts: From on or about November 2016, the exact date being unknown, until on or about February, 2017, in the Dallas Division of the Northern District of Texas and elsewhere, the defendant, Justin Mark Shafer, with the intent to harass and intimidate a person and more than one person, used and attempted to use, interactive computer services, electronic communications systems of interstate commerce; internet websites, telephone and other facilities of interstate or foreign commerce, to engage in a course of conduct that caused and attempted to cause and was reasonably expected to cause substantial emotional distress to JC and MK. In violation of 18 U.S.C. § 2261A(2)(B) & 2261(b). Based on available information, “JC” appears to refer to Magistrate Judge Jeffrey L. Cureton, while “MK” likely refers to his judicial assistant, Margarita Koye. So when you have a weak case where someone engaged in protected speech, just double down – throw more protected speech into the mix and claim that that protected speech was also an attempt to cause distress, right? Surely the more people who are upset by your speech, the more “victims” there are of “stalking,” right? If I’m upset with you for months and email you for months, multiple times, to convey my distress and disgust with your behavior because your behavior is ongoing and continues to trouble me, isn’t that (still) protected speech? I am not aware of any clause in the First Amendment that would suggest that speech is only protected if you say it less than X times. So what, exactly, is Shafer alleged to have done that crossed the line from protected speech to “stalking” court personnel? And are we now going to rewrite the Constitution so that any time someone sends an angry or upset communication, we claim that they are attempting to cause distress and could reasonably expect to cause distress and are therefore stalking? Has this country become a bunch of snowflakes? Shafer’s attorney, Tor Ekeland, was not available for comment by the time of publication.
Court dates set in Justin Shafer case
On Friday, December 1, lawyers for an infosec researcher who has been in jail since April will argue that U.S. District Judge David C. Godbey should release Justin Shafer from jail while he awaits trial. For those who are not familiar with the case, Shafer, a dental integrator technician and independent infosecurity researcher, faces federal charges of cyberstalking an FBI agent and the agent’s family. And those are the only charges he currently faces, although you might have been misled by others’ headlines into believing that he is an alleged hacker or an alleged co-conspirator of the blackhats known as TheDarkOverlord. Shafer has not been charged with any hacking-related activity at all. In fact, the case against Shafer initially had nothing to do with blackhat hackers at all and everything to do with the fact that Shafer was uncovering and disclosing leaking databases and the entities who he was reporting upon did not always take kindly to being embarrassed publicly for their poor data security. Shafer would also file complaints with HHS/OCR and the FTC over sloppy or failed data security. And it was one of those entities who apparently tried to accuse Shafer of hacking them after he found patient data on a public FTP server that did not require any login. Once the FBI started investigating Shafer as if he was some blackhat criminal for finding and disclosing leaky databases, Shafer’s relationship with one Dallas FBI agent started to deteriorate. And it was only against the backdrop of that already somewhat adversarial relationship that when one month later, Shafer started investigating TheDarkOverlord and trying to help the FBI, that the FBI started treating him as a possible co-conspirator instead of as an asset. To be clear: while Shafer repeatedly and demonstrably attempted to help the FBI catch TheDarkOverlord, Shafer did make negative public comments to and about a Dallas FBI agent, Nathan Hopp, whom Shafer felt harassed by over a period of years. Those comments were made on Shafer’s blog and on his Twitter account. But was there really anything criminal about those comments or are they protected speech under the First Amendment? And who wouldn’t be angry if you’d been raided three times by the FBI and you had never done anything illegal? Maybe it was imprudent to shoot off his mouth at an FBI agent or his family, but Shafer and his family have been through a lot of harassment from their perspective. I recently reported what Shafer’s wife told me about how all these raids have affected their children, but here’s a snippet of Shafer’s description of one of the raids, and his concern for his child’s safety because of it. On February 2, he wrote about the second (January) raid: … I heard some boots making noise outside the house. I went outside, and there was a guy with an AK-47 pointing it at me, freaking out because my hands are not up. That is when I saw 5 or 6 guys buy my garage, and I think everyone had an AK-47 it seemed. These dudes were TWICE the size of the guys who raided me the first time. They told me they were not part of the first people who raided me, because I asked if Nathan Hawk was around. =) [Note: at the time of this raid, Shafer still mistakenly thought Agent Hopp’s name was “Hawk”]. I remember what [a lawyer] said, and decided I would take his friendly advice. He told me if he was raided, he would decline all interviews and just leave. You don’t need to be present during a raid, really. The FBI Agent who had a gun on me, told me we could go inside after they “cleared” the house (make sure nobody else is inside). I told him I “respectfully decline the interview”.. I then told him I wanted to leave, and they said okay but didn’t let me leave. Then he told me again, they would let me leave after I talked, and reminded him that I “respectfully decline this interview”. So they put me into a NRH cop car, and then told me they were taking me to jail […] I was upset when my 3 year old daughter handed me a CR-2032 battery. Any kid who eats one of those, dies. Horrific. I am very careful to keep shit off the floor. If she had of eaten it, I would be losing my mind….. Might you be upset with the FBI under similar circumstances? But wait, you say – didn’t the FBI find actual evidence during that January raid that Shafer was conspiring with the blackhat hackers known as TheDarkOverlord? Didn’t you see something about a stolen database and a chat log? No, the FBI did not find evidence of any conspiracy nor any criminal activity on Shafer’s part. What they found was that TheDarkOverlord gave Shafer information in 2016 which Shafer had then promptly passed along to the Dallas FBI via e-mail and phone to help them. What they found in January, 2017 was what Shafer had already given them and other law enforcement agencies in 2016 to help them catch TheDarkOverlord. And if you haven’t seen the evidence I posted showing that Shafer was trying to help the FBI – see this post for screenshots. So Shafer was charged on charges of cyberstalking that were padded by references to claims that he was being investigated as a co-conspirator of TheDarkOverlord when the factual history shows that Shafer was passing along information on TheDarkOverlord to law enforcement in both this country and the U.K. When Shafer was arrested, he was released with pre-trial conditions. Those conditions included what many First Amendment experts might consider prior restraint of speech. Shafer has every right to complain about an FBI agent whom he feels is harassing him or his family. He has every right to complain loudly and publicly about an agency repeatedly raiding him even though there is no evidence of wrongdoing on his part. Criticizing an FBI agent publicly doesn’t seem exactly prudent, but that doesn’t make it criminal speech or conduct. So why has it cost Shafer his freedom for all […]
Developing: Justin Shafer arrested, charging with cyberstalking FBI agent’s family
In what has become an increasingly bizarre case, researcher Justin Shafer was arrested Friday evening, detained in Dallas County Jail over the weekend on a “hold” request from the FBI, and then transferred to federal court today, where he was charged with cyberstalking. For the benefit of those who haven’t followed this story from the beginning: Shafer is a Dental IT integrator in Texas who’s knowledgeable about patient management software in the dental sector. He’s uncovered and reported a number of vulnerabilities that he discusses on his blog. Some of his research and advocacy resulted in enforcement action by the FTC to protect consumers and patients. In addition to identifying and reporting vulnerabilities in software, Shafer finds patient data leaks by using search engines such as FileMare for certain keywords and then searching the results for FTP servers that are configured to allow “anonymous” login – i.e., anyone can access the files. When Shafer finds exposed protected health information (PHI), he generally contacts the covered entity or database owner to alert them and then discloses it publicly, contacts the media, and/or files a complaint with the U.S. Department of Health & Human Services (HHS), alleging violations of HIPAA’s security requirements. In May, 2016, Shafer was raided by the FBI, as I reported on The Daily Dot at the time. It appeared, based on what Shafer was allegedly told by an FBI agent, that Patterson Dental might have complained that Shafer hacked them (see this incident that this site reported in February, 2016). The complaint filed in today’s arrest makes clear that the May, 2016 raid was, in fact, because Patterson accused Shafer of accessing their files “without permission.” Shooting the messenger instead of just owning responsibility for a security mistake is neither appropriate nor helpful in improving cybersecurity, as such accusations tend to chill other researchers from reporting what they find, leaving entities in the dark and criminals with more vulnerable sites to attack. No charges were filed against Shafer following the May, 2016 raid. In January, 2017, Shafer was raided again, but there were still no federal charges or state charges filed. On March 22, the FBI issued a Private Industry Notice (PIN). That PIN said that the FBI was aware of some criminals accessing data from public FTP servers to harass, intimidate, and/or blackmail site owners. Could they have been talking about Shafer? The PIN appeared to have some possible connection to Shafer because he’s well-known for investigating open FTP servers, but the connection was not clear. Shafer’s style may be obsessive-compulsive, impulsive, and/or abrasive/obnoxious at times, but this site was not aware of anyone ever accusing him of blackmail or intimidation. On March 31, the FBI raided Shafer for a third time, and arrested him for cyberstalking. Not hacking, not anything to do with FTP servers, but cyberstalking under 18 U.S. Code § 2261A(2)(B). The complaint describes conduct Shafer allegedly engaged in with respect to one of the FBI agents involved in his case and that FBI agent’s spouse and family. While some of the behavior cited as evidence of cyberstalking occurred on Twitter, a lot of it occurred on Facebook. Sadly, and assuming for now that they can prove those tweets and posts were really by him, Shafer appears to have focused his outrage and frustration over the May, 2016 raid on one particular FBI agent and by extension, that agent’s family. DataBreaches.net is not naming the FBI agent or uploading the complaint at this time. But if you’re thinking this story couldn’t get any more bizarre or unfortunate, let me assure you that it does get more bizarre. Apparently one region of the FBI was (and may still be?) investigating Shafer as a possible co-conspirator of TheDarkOverlord (TDO). You can’t make this stuff up, folks. Well, maybe our President could or FoxNews could, but I can’t. DataBreaches.net was unable to reach Shafer or his wife for a comment by the time of this publication, but will update this story as more information becomes available.
Shafer’s attorney appeals revocation of his pretrial release
Attorneys for Justin Shafer have appealed the revocation of his pretrial release. As regular readers of this site likely know already, Shafer has been in jail since April on charges of cyberstalking an FBI agent and the agent’s family. Those cyberstalking charges have nothing to do with three FBI raids conducted on Shafer prior to his tweets complaining about the FBI agent. Yes, you read that correctly: the FBI had conducted THREE raids on Shafer and had not charged him criminally with anything. The only thing he has been charged with is unkind words after he and his family were repeatedly harassed. Well, that’s how I’d describe it. Here’s how his lawyers described it: The government accuses Justin Mark Shafer of putting an FBI agent and his wife in substantial emotional distress and publishing restricted information about that FBI agent with the intent to incite violence against him. But nowhere in the record, or in the discovery in this case, is there any true threat of violence against anyone. There is no explicit language articulating any kind of threat. The “restricted” information in question was a prior home address for the FBI agent, publicly available on the internet. This entire case is built on innuendo and speculation that withstands neither constitutional nor statutory scrutiny. It is a chilling example of federal law enforcement overreach, and has serious ramifications for constitutional free speech and due process in relation to the internet and computer law. If the government’s accusations in this case are a crime, then millions of social media using Americans are subject to the prosecutorial whim of the Department of Justice. You can read the entire motion here (pdf). As you read the motion, note not only the constitutional issues raised by counsel, but how Shafer’s wife and children were treated – and traumatized by these experiences. DataBreaches.net spoke with Shafer’s wife several days ago. She informed this blogger that she and their three children have all been seriously impacted psychologically by the FBI’s raids. “We’re okay,” she said, but “any time the doorbell rings, I point my finger and the kids run to the back of the house. My heart starts racing any time the doorbell rings. I can’t handle it… I am having panic attacks.” According to Mrs. Shafer, their daughter is only first beginning to sleep in her own bed again since being traumatized by the May, 2016 raid. “These were full-blown raids,” Shafer’s wife told me. “You would have thought someone murdered someone.” The motion notes that at least one of the raids was totally unnecessary and the FBI could have simply called Shafer’s lawyer and asked him to have his client turn himself in. Had the FBI done that, Shafer’s young children would not have been exposed to yet more stress and trauma. Why didn’t the FBI do that? Update: I have uploaded Jennifer Shafer’s declaration, here (pdf).
Developing: Shafer raided by FBI again, being detained
Justin Shafer, who was raided by the FBI in May after reporting that he found protected health information (PHI) leaking from a public FTP server, was raided by the FBI again today. Shafer, a dental technician and active researcher of patient management software systems in the dental field, routinely searches for and uncovers exposed PHI. He notifies the entities, reports on his findings, and in some cases, files complaints with HHS if the entities do not appear to have reported incidents to HHS that he thinks should have been reported. As some others have done, he often downloads data as proof of the leak until the entity reports it or acknowledges it. So was today’s raid related at all to the earlier raid or to his ongoing activities with respect to public FTP servers? Shafer’s wife tells DataBreaches.net that she received a call from a neighbor at 2:00 this afternoon that the FBI were executing another raid. When she got home, she said, Shafer was already in a squad car, and the agents took her into the backyard to ask her what she described as a lot of questions. The questions were not what she expected, as they concerned whether he was working with anyone, whether he had income that she might not have known about, whether he seemed angry at anyone or was afraid of anyone. They also asked whether he made purchases with gift cards or had a lot of gift cards, and whether he had talked with anyone from another country. The questions made no sense to her, she tells this site, and she asked them if this raid was related to FTP servers and Patterson Dental. According to her, the FBI agent answered that that was part of it, but recently, Shafer had “done something else.” What that something else might be they wouldn’t tell her, she said. “I’m clueless,” she told DataBreaches. “I felt like saying, ‘You’re joking, right?’ when they asked me about him or us having money or extra money. I handle all our accounts, including the business. We don’t have anything.” Shafer’s wife reported that the agents removed a lot of belongings, including hard drives, their Xbox, his cellphone, his laptop, bank statements, their debit card, and all their credit cards. As of tonight, Shafer is being held at his local police station on a minor drug charge, and his wife believes bail will be set in the morning. The police officer this site spoke with earlier confirmed that the FBI had brought Shafer in, and that apart from the drug charge, there might be other charges coming later. DataBreaches.net is trying to obtain a copy of the search warrant and will update this post as more information becomes available.
HHS Office for Civil Rights Settles HIPAA Investigation with Arkansas Business Associate MedEvolve Following Unlawful Disclosure of Protected Health Information on an Unsecured Server for $350,000
As background: this case began with Justin Shafer finding an unsecured FTP server owned by MedEvolve. He reported it to DataBreaches. This site first reported on the leak in 2018. This site also reported when MedEvolve issued a statement months later, and again two years later when HHS got them to notify patients. Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules with MedEvolve, Inc., a business associate that provides practice management, revenue cycle management, and practice analytics software services to covered health care entities. The settlement concludes OCR’s investigation of a data breach, where a server containing the protected health information of 230,572 individuals was left unsecured and accessible on the internet. HIPAA is the federal law that required the establishment of national standards to protect the privacy and security of protected health information. The HIPAA Privacy, Security, and Breach Notification Rules apply to most health care breaches and set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information. The potential HIPAA violations in this case include the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, and the failure to enter into a business associate agreement with a subcontractor. The HIPAA Rules require that covered entities and business associates (person or entity that has access to protected health information as part of their relationship with a covered entity), enter into contracts – or business associate agreements – that generally document the permissible uses and disclosures of protected health information, that appropriate safeguards will be implemented, and that the covered entity will be notified of any breaches. MedEvolve has paid a $350,000 monetary settlement to OCR and agreed to implement a corrective action plan which identifies steps MedEvolve will take to resolve these potential violations and protect the security of electronic patient health information. “Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy,” said OCR Director Melanie Fontes Rainer. “HIPAA regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the internet.” In July 2018, OCR initiated an investigation of MedEvolve following the receipt of a breach notification report<https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf> stating that an FTP server containing electronic protected health information was openly accessible to the internet. The information included patient names, billing addresses, telephone numbers, primary health insurer and doctor’s office account numbers, and in some cases Social Security numbers. OCR investigates every report we receive of breaches of unsecured protected health information affecting 500 or more people. Hacking/IT incidents was the most frequent (79%) type of large breach that was reported to OCR in 2022. Network servers are the largest category by location for breaches involving 500 or more individuals. It is critical that HIPAA covered entities and their business associates improve their efforts to identify, deter, protect against, detect, and respond to cybersecurity threats and malicious actors. As a result of the settlement agreement, MedEvolve will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. MedEvolve has agreed to take the following steps: * Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization; * Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis; * Develop, maintain, and revise, as necessary, its written policies and procedures to comply with the HIPAA Privacy and Security Rules; * Augment its existing HIPAA and Security Training Program for all MedEvolve workforce members who have access to protected health information; and * Report to HHS within sixty (60) days when workforce members fail to comply with MedEvolve’s written policies and procedures to comply with the HIPAA Privacy and Security Rules. The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/medevolve-ra-cap/index.html. OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information. If you believe that you or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at: https://www.hhs.gov/ocr/complaints/index.html. ### Source: HHS
URLs Are NOT Passwords, and Sadly, That Needed to Be Said (Stolowitz vs. Nuance Communications)
In 2014, Nuance Communications discovered that anyone could access protected health information on one of its platforms. After the situation persisted for years, a former employee decided to submit a whistleblower complaint to HHS. For his efforts, he spent more than one year fending off threatened federal hacking charges, even though no hacking was involved. This is a bit of his story. A Problem is Discovered In September 2014, software technology corporation Nuance Communications discovered a problem. Protected health information (PHI) of some patients could be accessed without any password by anyone who knew the URL. Not only that, but anyone who changed the URL by going up or down by 1 could access other patients’ information. A court filing by Marc Stolowitz, former senior software engineer at Nuance, explains (typos as in the original): On or about September 25, 2014, Holly Woemmel, then Nuance’s Healthcare Incident Coordinator, authored a Privacy Incident Report. In pertinent part, she wrote: Today, a URL was passed via email on the Nuance network internally from one person to another and when entered into Internet Explorer will show a patients report. This would be fine if the system would first ask for a username/password, but was able to access the report without. I have verified that this report can be viewed outside of the Nuance network which would mean if the appropriate format of the URL is known, could be seen by anyone. Also, if you increment the number of the URL, you can see other reports also. Not sure if this may be a HIPPA violation, thus why I’m writing you about it. I can provide further information, but will do that when requested. The team concluded that this incident was not a HIPAA breach because PHI had never left Nuance’s internal network, but they knew there was a problem because PHI was exposed to the public. Nuance subsequently referred to this problem as the “E5 URL Issue.” From September 14, 2014, until before October 17, 2016, Nuance reportedly made at least three unsuccessful efforts to resolve the problem. Stolowitz states that management eventually decided to replace the system with a new database system at some unspecified later date. By the time Stolowitz separated from Nuance in 2016, the problem still hadn’t been resolved. And so, years after the problem was discovered, PHI remained publicly available to anyone who stumbled across a URL or knew where to find it. Stolowitz Decides to Blow the Whistle Although no longer employed by Nuance, Stolowitz remained concerned about the exposed PHI. In November of 2017, when a check of URLs revealed that the public could still access PHI, Stolowitz started downloading data to submit a whistleblower complaint to the U.S. Department of Health & Human Services. Over several weeks in November and December 2017, he downloaded approximately 45,000 records and organized them for a submission to HHS. He made no effort to hide his IP address when downloading the files. Before he could submit any complaint, however, Stolowitz was raided by the FBI in January 2018. He tells DataBreaches that Nuance had reported the incident as a crime and had given the FBI Stolowitz’s personnel file. Stolowitz claims he cooperated fully with the FBI and explained to them that he had downloaded data for a whistleblower complaint he was filing. They did seize his devices and a USB drive that he handed them with data. Eventually, everything would be returned to him. But from January 2018 until June 2019, Stolowitz had to deal with false claims about him and the threat of federal criminal prosecution. Nuance Discloses the Incident Without Mentioning the Lack of Even a Simple Password While Stolowitz was dealing with the threat of prosecution, Nuance filed its quarterly SEC report in May 2018, writing, in part: [I]n December 2017, an unauthorized third party illegally accessed certain reports hosted on a Nuance transcription platform. This incident was limited in scope to records of approximately 45,000 individuals and was isolated to a single transcription platform that was promptly shutdown. Customers using that platform were notified of the incident and were migrated to our eScription transcription platforms. We also notified law enforcement authorities and have cooperated in their investigation into the matter. . . . This incident did not have a material effect on our financial results for the six months ended March 31, 2018 and is not expected to have a material effect on our financial results for future periods. Nuance also presented the incident to their clients as an illegal access by a former employee. One client then issued a notification that read, in part: The incident happened at Nuance Communications, a Massachusetts-based company contracted to provide medical transcription services. The information was accessed last year from November 20 to December 9. Notification to patients was delayed at the request of the FBI and the U.S. Department of Justice, pending their criminal investigation into the incident. The investigation determined that a former Nuance employee breached Nuance’s servers and accessed the personal information of thousands of individuals from several contracted clients, including the San Francisco Department of Public Health. The Justice Department has informed Nuance that it does not appear that any of the information taken was used or sold for any purpose, and that all of the data have been recovered from the former employee. The former employee “breached” the servers? Why did no one publicly reveal that there was zero security on the data that Stolowitz downloaded and that anyone could have done what he did? DOJ Pressures Stolowitz to Take a Plea Deal Stolowitz provided DataBreaches with copies of some correspondence involving the U.S. Attorney’s Office. The U.S.A.O. was pressuring him to plead guilty to a misdemeanor or else they would throw felony charges at him under the Criminal Fraud and Abuse Act (CFAA). By their calculations, he had accessed, without authorization, 45,000 files each worth $500, which exceeds the $5000.00 minimum bar set for felony prosecution under §1030(c)(2)(B)(iii). “Without authorization?” What authorization […]
Update: U.S. v. Robert Purbeck aka “Lifelock”
Long-time readers may recall that in 2017 and 2018, DataBreaches.net reported on hacks of two medical practices by someone calling himself “Lifelock.” DataBreaches’ past reporting on him can be found in this July, 2017 post (see comments under the post), in two 2018 posts, and then a post in response to a press release from from DOJ concerning his arrest. Lifelock, whose real name is listed on court filings as Robert A. Purbeck, had first brought himself to this site’s attention by posting a comment under a post about a hack involving a California medical entity. DataBreaches had commented that the incident sounded like it could be the work of thedarkoverlord (TDO). In a comment in response to the post, “Todd Davis” began his comment with “I am the darkoverlord you speak of.” Lifelock subsequently emailed DataBreaches. In that email, he said he wasn’t thedarkoverlord mentioned in the post and that he hadn’t realized that someone was using that as a name. He also provided the text of correspondence he had sent to the California victim. In 2018, Lifelock contacted DataBreaches again. This time, it was because he wanted DataBreaches to report on (i.e., expose) a medical group in Michigan that had never notified their patients or HHS that he had hacked them and stolen patient data in 2016. In reporting on Lifelock, DataBreaches reported that DataBreaches had noted some significant similarities between Lifelock and TDO, but both Lifelock and TDO had denied any connection between them when they had been asked. In 2019, FBI agents from various regions reportedly served a search warrant and seized numerous devices from Purbeck’s home in Idaho. According to Purbeck’s court filings, they also questioned him for hours in the hot sun, allegedly trying to get him to tell them passwords to the devices and to get him to confess to being TDO. In his court filings, Purbeck claims that he repeatedly denied any knowledge of, or participation in TDO. He also claims that law enforcement knew he wasn’t TDO. DataBreaches does not know the basis for that particular claim, but he also claimed that there was exculpatory evidence in email correspondence with DataBreaches. He was not specific about what he thought would be exculpatory. It is important to note that when Purbeck was charged in the Northern District of Georgia for other hacks he allegedly committed, he was not charged with being TDO or even being part of TDO1. Purbeck has faced significant challenges in defending himself against the criminal charges that include hacks of an unnamed medical clinic in Griffin, Georgia, the city of Newnan, patient data from a medical practice in Locust Grove, Georgia, and an orthodontist in Florida. He has a court-appointed federal defender, but he appears to be mostly pro-se for many filings for related litigation in Idaho, the Ninth Circuit Court of Appeals, and Northern California. As far as DataBreaches can determine, Purbeck has not prevailed on any of his motions to have devices returned or evidence suppressed. He has had some success in motions requesting to compel discovery, including a motion for the government to turn over copies of the communications between him and DataBreaches (referred to as “Dissent” in the court filings). In addition to prevailing on some discovery-related motions, some parts of civil suits Purbeck has filed against prosecutors, his employer, and named FBI agents have not been dismissed. As Purbeck recapped his situation in what appears to be a DM chat with Justin M. Shafer: I can’t divulge much. But I was tortured by the FBI into confessing to an alleged federal crime and to divulge encryption passwords. I couldn’t get the police to take a report on the FBI agents so I sued the agents. Judge Winmill is allowing me to sue the agents for 4th amendment violations including torture and for sexual assault against one creeper agent for molesting my heat-stroked body. My former county employer is allowed to be sued under an obscure Supreme Court ruling from the 1960’s I found. And the head search agent violated the 9th circuit ruling that a warrant must be provided to the person searched. So he is allowed to be sued under federal law2. Most Recent Development: The April 5 Motion in Northern California On April 5, Purbeck filed an emergency motion in the Northern District of California. The motion, filed pro-se with a companion motion to seal, was filed as an “EMERGENCY MOTION for Return of Property Pursuant to Rule 41(g) for Flagrant and Deliberate Violations of Attorney Client Privilege3.” Purbeck’s motion also alleged that the government had failed to use a “taint team” and read emails or material that was of a personal and/or sensitive nature and beyond the scope of the warrant. Having failed in other courts to get property returned or evidence suppressed, Purbeck had tried to claim that the Northern District of California had the authority to order the return of his property. On April 19, without any response from the defendant (Merrick Garland) having been filed at all yet, Judge Vince Chhabria signed an order dismissing Purbeck’s motion for lack of subject matter jurisdiction. The order was not only somewhat harsh in its wording, but it went so far as to unseal most of Purbeck’s emergency motion, which resulted in personal and previously non-public information becoming public. What Next in the Northern District of Georgia? Meanwhile in the criminal case in the Northern District of Georgia, many of the filings remain under seal. Purbeck’s response to some filings was due on February 22. The docket does not indicate that any response was ever filed. At this point, it is not clear to DataBreaches what happens next in the Northern Georgia criminal case, but DataBreaches will continue to follow this case. 1 United States v. Robert A. Purbeck, Case 3:21-cr-00004-UNA. 2 The quoted material was forwarded to DataBreaches by Justin Shafer, who seems to have reached out to Purbeck and then shared his communications with both this site and […]
NYU professor releases personal info on over 1,500 ICE employees, hopes people will find it ‘useful’
Sarah Taylor reports: Sam Lavigne, who is reportedly an adjunct professor at New York University as well as a digital designer and developer, released a list of more than 1,500 Immigration and Customs Enforcement employees’ personal information on Wednesday. What are the details? In a since-removed blog post on Medium, “Lavigne wrote, ‘I’ve downloaded and made available the profiles of (almost) everyone on LinkedIn who works for ICE, 1,595 people in total. While I don’t have a precise idea of what should be done with this data set, I leave it here with the hope that researchers, journalists, and activists will find it useful.’ “ Read more on The Blaze. Most of the copies were reportedly removed, but this site does not know if copies are still floating around somewhere. So if this was publicly available info – apparently voluntarily shared by people on LinkedIn, is this stalking or doxxing or anything wrong? What if you suspect that the list was created with the knowledge that some might use it to harass individuals? Where is the First Amendment line here? Justin Shafer was prosecuted for much less.