Commentary: Shooting the Messenger is Not an Effective Incident Response Strategy (updated)
A PHIprivacy.net commentary.
In another post this morning, I described a very worrisome breach involving Lanap & Dental Implants of Pennsylvania.
Our awareness of that breach is due to one person’s persistent efforts to shine some light on it. He responsibly contacted the dental practice over a year ago to alert them when he discovered their patient data online, and he responsibly did not post any of the identifiable patient information. And when he became aware that thousands of patients had seemingly not been notified about the breach, he reached out to the media to help make more people aware of it so they could protect themselves.
He deserves appreciation for his efforts, but so far, all he seems to have gotten is a CEASE AND DESIST letter from the dental practice’s lawyer, Scott McIntosh.
If I understand the C&D correctly, Mr. McIntosh is demanding that the man never mention the dental practice, its doctors, or the breach ever again and they are seeking criminal prosecution of him in two states.
Hopefully, the person who discovered the torren will recognize the letter for what it is – a shameless attempt to intimidate him and chill speech that is protected under the First Amendment. I hope some lawyer who actually has expertise in the First Amendment will help him respond to the ridiculous threat.
It is neither helpful nor appropriate to threaten people with lawsuits for trying to raise public awareness on issues of public concern such as a serious breach.
No, it will not do at all, and I hope both HHS and the FTC take note that the dental practice appears to be trying to intimidate the man into remaining silent about a very serious breach.
Update: See comment below for link to CEASE and DESIST letter.