How can we screw up incident response? Let me count the ways — Monday UK Edition
This week, DataBreaches.net was reminded yet again of the risks of trying to alert an entity to a breach. This time, it was not me who was threatened or any of the whitehat researchers I know. This week, it was a citizen who found patient records on the street in his town and undertook to report the breach to the responsible party. All he wanted was for them to take responsibility for the incident and retrain their employees to be more careful. Almost two months later, he has been threatened with prosecution and tells this site that he was fearful of even contacting this site to let us know what was going on.
But let’s start at the beginning…..
A man in the UK found records on the street of his town one day. There was more than one record and it took him weeks to figure out whom to notify, but he finally determined that the records likely belonged to Acacia Mews Care Home. Acacia Mews is run by Avery Healthcare Ltd. So in mid-October, “Joe” as we will call him, emailed Acacia Mews to inform them of what he had found. Getting no response, he emailed them again. “Is this one of your patients??” he wrote, attaching a copy of a record he had found in the street.
Acacia Mews’ Deputy Manager wrote back:
Many thanks for bringing this to our attention, yes this one of our residents, Yesterday we had our archiving company remove paperwork from the building.
Do you have the original? would it be possible for us to either collect it or for it to be dropped in at Acacia mews if you are local & were passing by.
Joe knew that the contractor wasn’t responsible because he had found the records weeks earlier, not the previous day. Joe wrote back again on October 20 (all spelling and typing as in the original):
i found it on the floor on reginald street in luton where i leave there is other papers too
What happened at that point is not clear to DataBreaches.net, as this site does not have the complete email chain. But on November 1, Julie Ricci, the home manager of Acacia Mews, wrote to Joe:
I have contacted the police regarding this matter.
DataBreaches.net does not know why Ms Ricci contacted the police, but in any event, Joe did not seem worried by that email, and replied to them:
that good to know but why you no speak to youre staff??
to help you i copy in ico too
maybe u like me contact press too?
If it is not obvious from the partial exchanges, Joe believes that the data security breach was due to employees at Acacia Mews and not any third party, but so far, Acacia Mews and Avery Healthcare have not provided Joe with any statement about investigating staff or retraining staff or disciplining staff.
Joe did contact the ICO, and on November 4, received a proforma response. DataBreaches.net does not know if there has been anything further from the ICO.
On November 17, unhappy with their lack of what he thought would be an appropriate incident response, Joe contacted Julie Rizzo again:
I did not hear again from you why patience information is on street
you have staff who leave on that street and where avery uniform everyday on they’re way to work but you like to blame other company
maybe avery founders like to answer why?
should i speak to press or cqc too before you teach you’re staff respect?
On November 29, Joe received an email from Jenny Drew, Data Protrection Officer for Avery Group Support Centre.
I’m embedding her attached letter below after redacting Joe’s name. Note how she appears to be suggesting that Joe — an individual — has a duty under GDPR to return files to them as he doesn’t have their consent to have them.AveryHealhcare_Letter_Redacted
Joe was not intimidated by Ms Drew’s veiled or not-so-veiled threat. He replied:
thank you jenny
glad that there investigation is being done
section 170 says as well It is also a defence for a person charged with an offence under subsection (1) to prove that (ii) with a view to the publication by a person of any journalistic, academic, artistic or literary material, and (iii) in the reasonable belief that in the particular circumstances the obtaining, disclosing, procuring or retaining was justified as being in the public interest.
i will get rid of records when investigation is finished
So Joe wouldn’t return all the records to Avery, and DataBreaches.net does not know whether Avery even knows how many records Joe picked up off the street. Joe tells DataBreaches.net that he put all the records he found in a bank for safekeeping. The one record Joe shared with this site as proof was, indeed, very sensitive, containing end of life palliative care notes for a named patient who was not expected to live long at that point.
DataBreaches.net emailed both Julie Ricci and Jenny Drew to ask for clarification, including why, on November 29, Avery Healthcare first stated that they “Will conduct a full and thorough investigation.” Why didn’t they initiate that full and thorough investigation on October 18 when Joe first contacted them? Why did they jump to blaming a contractor?
And why the veiled threat that he might be in legal peril if he doesn’t do what they want? Why should anyone contact entities to report leaks or breaches if they get threatened with prosecution? They’d be better just keeping the information to themselves, wouldn’t they?
Rather than trying to threaten him, perhaps Avery should have asked him if he would consider turning the records over to the ICO’s office.
In any event, this has not worked out well so far, it seems. DataBreaches.net did not receive any reply from Ms Ricci or Ms Drew, but may update this post if more details are obtained or if there are other developments.