The other day, Joseph Lorenzo Hall, PhD commented on Twitter about how doing notifications of breaches or leaks is a pretty thankless job. And it often is. Yesterday and today, however, I feel pretty good about the time I spent trying to make two notifications.
The first “it was worth it afterall” experience involved a data leak discovered in March, 2018 by Chris Vickery and UpGuard. They had trouble making the notification and reached out to this site for assistance. My frustration and eventual success in notifying Cohen, Bergman, Klepper was reported in this post, where I also noted that I was filing a complaint with HHS OCR about the incident.
Yesterday, I received a resolution letter from OCR that described all the steps that the medical practice took in the wake of the incident and all the other steps that OCR was also requiring them to take– even though a determination had been made that this was not actually a reportable breach under HIPAA. I was gratified to see that among the improvements, the medical practice revised their procedures on notifications and trained staff in them. Hopefully, the next time someone calls them to tell them that they have a problem, they’ll actually listen and investigate it.
A redacted copy of OCR’s letter to me is embedded below this post.
My second “Allrighty….” moment was when I learned that Total Registration, a vendor that provides examination registration services to high schools for students taking the AP or PSAT exams or other exams, did notify all of their clients about a data exposure incident that I notified them about last month. In that case, one of the researchers I regularly hear from had found their exposed database and alerted me to the problem, providing me with some data as proof that data were unencrypted and accessible without any login required. I contacted the vendor, who replied that the situation was addressed, but they didn’t respond to a follow-up inquiry as to whether they would notify their clients. Without that confirmation, this site started contacting a few of their clients to inquire as to whether they had been notified.
It appears that on May 10, Total Registration did contact its clients, and its disclosure did include a lot of details about what data types were exposed and what data types were not exposed. Their disclosure also revealed that the misconfiguration had occurred in June, 2016 and that files would roll over after 48 hours on the server. So there were a lot of files potentially exposed in an almost-three-year period. How many times was data accessed, though?
According to Total Registration’s disclosure (see their web site and the FAQ), Total Registration believes that only the journalist who contacted them (that would be me) accessed the data. From their FAQ:
Do you have evidence that anyone accessed this information other than the individual that reported the issue to you?
We do not have any evidence that any other parties apart from the reporting party had knowledge of or accessed this information.
But no evidence of access means nothing if you don’t have any way to determine whether access even occurred.
There are two problems with Total Registration’s otherwise excellent notification.
First, I never accessed the database. I was sent data by the researcher who found it and who accessed it. That researcher is a whitehat and I’ve never known them to misuse data, but Total Registration never asked me about the researcher, and never asked me to delete any data I might have — or even whether the researcher might have any. My written notification to TR had indicated that I had been informed of their leak by a researcher. My notification did not say who did, or did not, access any data.
Second, in response to some excellent questions from one of their clients, Montgomery County Public Schools in Maryland (see their disclosure here), Total Registration acknowledged that they could not prove their claim of no access because they had no transaction or audit logs. From MCPS’s notification:
While the vendor states that they have no evidence of any third party (aside from the journalist) accessing data, they are unable to state with certainty that the data hasn’t been accessed by others. The vendor states that there are no transaction/audit logs to verify this claim.
Total Registration has been addressing that deficiency as part of its attempt to ensure no repetition of this type of incident, but without audits/logs, I believe it is somewhat misleading to tell clients that there is no evidence of other access.
It’s time that entities stop claiming that they take privacy and security seriously and it’s time that they stop claiming that they have no evidence of access or misuse when they have no way to determine either.
But I do give Total Registration credit for contacting all their clients, and for prominently linking to their security incident notice on their home page. Now I wish that as part of what everyone does, we revisit the question of collecting so much demographic information such as parents’ educational level. Just collect the minimal you need to register the student for the test and call it a day.
So maybe we shouldn’t just look at what Total Registration does as a result of this incident, but we should ask what its clients will do going forward to minimize risks to their students and parents. This is not all on the vendor.
Anyway, there’s some of my news this week. And of course, if there’s a Part 1 to this week, there’s a Part 2 somewhere, right? Stay tuned.OCR_CBK