One of the more teeth-gnashing aspects of investigating and reporting on breaches is that I later see “mainstream” news outlets reporting on those breaches as though they had no information about them other than what the entity put out in their press release.
So-called “news” outlets do not serve their readership well when they become complicit in downplaying breaches that put privacy and data security at risk. If all you’re going to do is lob softballs at an entity or allow them to tell their side of a breach without looking into their claims or reading what others have found when they investigated, maybe you should just ask the entity to pay you a fee for doing their public relations for them.
Yes, I realize that my commentaries on some breaches may strike some as harsh, but why aren’t more sites telling their readers the facts about some of these breaches? In the past two months, we’ve seen databases with large numbers of patients’ information put up for sale. Even if those listings have now been removed from one dark web market, those databases are still in the possession of criminals who can re-list them in months or next year. Why aren’t more news outlets telling the public about those risks instead of claiming that there are (unlinked) reports that the data “may be” up for sale?
One site that has not been afraid to share more facts about breaches with its readership is HIStalk. And like this site, their work is not often publicly credited by those who read their work and then either ignore it or use their work as the basis of their own story ideas.
Today, HIStalk posted a reader comment and their response that concerns this site:
From Gidget: “Re: DataBreaches.net. You mention them specifically in your security updates. Do you have a business arrangement with them?” No. I simply think they are doing fantastic work and it’s only fair to credit them as my source, even if they refer to a source of their own. I’m just about the only publication to give them credit, I’ve noticed. That’s pretty sleazy and self-serving for alleged journalists who are paranoid that their audience might realize how little actual reporting they do and therefore try to hide that fact by passing off someone else’s legwork as something they sleuthed out themselves. It bugs me that plenty of sites get their story ideas from HIStalk without giving credit, so I won’t do it to someone else. I use only original sources (never other health IT sites since all they do is summarize press releases and journal articles while adding no value) and I always provide a link.
Amen, HIStalk, amen. And no, there is no business arrangement between our sites. Just a mutual admiration for each other’s efforts to get information out there that goes beyond an entity’s self-serving statements.
So to those local news outlets or mainstream media sites that continue to participate in entities’ attempts to spin or minimize breaches: do your job and tell your readers what we do know about breaches. There’s no reason to keep talking about an “unnamed vendor” when a vendor has been identified by this site and has confirmed it to this site. And there’s no reason to tell your readers that their information “may have” been exposed online or “may have been” put up for sale on the dark web, when both were observed and reported on – often with screenshots showing what happened.
It’s time to stop pussyfooting around in reporting on breaches.