URLs Are NOT Passwords, and Sadly, That Needed to Be Said (Stolowitz vs. Nuance Communications)

In 2014, Nuance Communications discovered that anyone could access protected health information on one of its platforms. After the situation persisted for years, a former employee decided to submit a whistleblower complaint to HHS. For his efforts, he spent more than one year fending off threatened federal hacking charges, even though no hacking was involved. This is a bit of his story.

A Problem is Discovered

In September 2014, software technology corporation Nuance Communications discovered a problem. Protected health information (PHI) of some patients could be accessed without any password by anyone who knew the URL. Not only that, but anyone who changed the URL by going up or down by 1 could access other patients’ information. A court filing by Marc Stolowitz, former senior software engineer at Nuance, explains (typos as in the original):

On or about September 25, 2014, Holly Woemmel, then Nuance’s Healthcare Incident Coordinator, authored a Privacy Incident Report. In pertinent part, she wrote:

Today, a URL was passed via email on the Nuance network internally from one person to another and when entered into Internet Explorer will show a patients report. This would be fine if the system would first ask for a username/password, but was able to access the report without. I have verified that this report can be viewed outside of the Nuance network which would mean if the appropriate format of the URL is known, could be seen by anyone. Also, if you increment the number of the URL, you can see other reports also. Not sure if this may be a HIPPA violation, thus why I’m writing you about it. I can provide further information, but will do that when requested.

The team concluded that this incident was not a HIPAA breach because PHI had never left Nuance’s internal network, but they knew there was a problem because PHI was exposed to the public. Nuance subsequently referred to this problem as the “E5 URL Issue.”

From September 14, 2014, until before October 17, 2016, Nuance reportedly made at least three unsuccessful efforts to resolve the problem. Stolowitz states that management eventually decided to replace the system with a new database system at some unspecified later date.

By the time Stolowitz separated from Nuance in 2016, the problem still hadn’t been resolved. And so, years after the problem was discovered, PHI remained publicly available to anyone who stumbled across a URL or knew where to find it.

Stolowitz Decides to Blow the Whistle

Although no longer employed by Nuance, Stolowitz remained concerned about the exposed PHI. In November of 2017, when a check of URLs revealed that the public could still access PHI, Stolowitz started downloading data to submit a whistleblower complaint to the U.S. Department of Health & Human Services. Over several weeks in November and December 2017, he downloaded approximately 45,000 records and organized them for a submission to HHS. He made no effort to hide his IP address when downloading the files.

Before he could submit any complaint, however, Stolowitz was raided by the FBI in January 2018. He tells DataBreaches that Nuance had reported the incident as a crime and had given the FBI Stolowitz’s personnel file.

Stolowitz claims he cooperated fully with the FBI and explained to them that he had downloaded data for a whistleblower complaint he was filing. They did seize his devices and a USB drive that he handed them with data. Eventually, everything would be returned to him. But from January 2018 until June 2019, Stolowitz had to deal with false claims about him and the threat of federal criminal prosecution.

Nuance Discloses the Incident Without Mentioning the Lack of Even a Simple Password

While Stolowitz was dealing with the threat of prosecution, Nuance filed its quarterly SEC report in May 2018, writing, in part:

[I]n December 2017, an unauthorized third party illegally accessed certain reports hosted on a Nuance transcription platform. This incident was limited in scope to records of approximately 45,000 individuals and was isolated to a single transcription platform that was promptly shutdown. Customers using that platform were notified of the incident and were migrated to our eScription transcription platforms. We also notified law enforcement authorities and have cooperated in their investigation into the matter. . . . This incident did not have a material effect on our financial results for the six months ended March 31, 2018 and is not expected to have a material effect on our financial results for future periods.

Nuance also presented the incident to their clients as an illegal access by a former employee. One client then issued a notification that read, in part:

The incident happened at Nuance Communications, a Massachusetts-based company contracted to provide medical transcription services. The information was accessed last year from November 20 to December 9. Notification to patients was delayed at the request of the FBI and the U.S. Department of Justice, pending their criminal investigation into the incident. The investigation determined that a former Nuance employee breached Nuance’s servers and accessed the personal information of thousands of individuals from several contracted clients, including the San Francisco Department of Public Health. The Justice Department has informed Nuance that it does not appear that any of the information taken was used or sold for any purpose, and that all of the data have been recovered from the former employee.

The former employee “breached” the servers? Why did no one publicly reveal that there was zero security on the data that Stolowitz downloaded and that anyone could have done what he did?

DOJ Pressures Stolowitz to Take a Plea Deal

Stolowitz provided DataBreaches with copies of some correspondence involving the U.S. Attorney’s Office. The U.S.A.O. was pressuring him to plead guilty to a misdemeanor or else they would throw felony charges at him under the Criminal Fraud and Abuse Act (CFAA). By their calculations, he had accessed, without authorization, 45,000 files each worth $500, which exceeds the $5000.00 minimum bar set for felony prosecution under §1030(c)(2)(B)(iii).

“Without authorization?” What authorization was needed if there was not even a simple password or “keep out” banner? While the default in the physical world is that authorization is required before entering someone’s home (even if they leave the door open), the default on the internet should be that no authorization is required because the internet was created to network and share.

Three years later, the Supreme Court issued a decision in Van Buren v. United States 141 S.Ct. 1648 (2021), an opinion that restricts the application of CFAA to those who access a computer without authorization (when authorization is required) and to those who have authorization to access a computer but obtain information from it that they are not entitled to obtain under the terms of their access.

The decision made clear that the CFAA does not apply to those who access publicly available information. Nor was it intended to chill whistleblower activity.

Whistleblower Protection

Three years before the Supreme Court ruled on Van Buren, Nuance Communications appeared to be trying to criminalize Stolowitz’s whistleblower behavior. But in his separation letter agreement of 2016, there was this critical paragraph:

Protected Activity. You understand that nothing in this Agreement shall in any way limit or prohibit you from engaging for a lawful purpose in any Protected Activity. For purposes of this Agreement, “Protected Activity” shall mean filing a charge, complaint, or report with or otherwise communicating with or participating in any investigation or proceeding that may be conducted by, any federal, state, or local government agency or commission . . . . You understand that in connection with such Protected Activity, you are permitted to disclose documents or other information as permitted by law, and without giving notice to, or receiving authorization from, the company. You agree to take all reasonable precautions to prevent any unauthorized use or disclosure of any information that may constitute Company Proprietary Information under this Agreement or the PIN to any partiers other than the relevant Government Agencies . . . .

And that is precisely what Stolowitz had been in the process of doing.

Maybe Nuance did not know that Stolowitz was accessing and downloading data to file a whistleblower complaint. But once Stolowitz informed the FBI that that is what he was doing and showed them what he had been working on, why did the criminal inquiries continue? Why didn’t the DOJ go back to Nuance and say that there were no criminal grounds to pursue as Stolowitz was engaged in protected activity?

Or why didn’t the FBI go back to Nuance and say, “Wait, you said there was unauthorized access, but there wasn’t any password or “keep out” banner on the files.  No authorization was needed.”

We’ve seen this before—too many times. Companies caught with their security pants down try to blame the individual who points out that they have left PHI publicly and freely available.  In 2016, this blogger reported on the case of Justin Shafer, who had found an FTP server exposing patient data hosted by Patterson Dental. Rather than just thanking him and responding appropriately, they managed to get the FBI to raid him, seize his devices and try to prosecute him criminally. His case went on for years, and the DOJ never filed any hacking-related charges. It took him years to get his devices back from the FBI.

Why did the DOJ treat Stolowitz like a criminal instead of a whistleblower while treating Nuance Communications like a victim instead of treating Nuance like a money-making operation that knowingly left PHI exposed to public access for years?

Criminal defense attorney Tor Ekeland shared his bleak assessment of the reasons. According to him, there are more employees of DOJ than there are criminals or crimes, and they need to do something to justify their employment. There is also careerism. Where will all the assistant U.S. Attorneys go eventually, he asks?  Into businesses?  Are investigators and prosecutors establishing cordial relationships with companies to further their future opportunities?

Ekeland believes that they are doing just that.

It’s a depressing picture that Ekeland paints, and DataBreaches hopes that things are not quite as bad as all that, but that is a question for a different day and a different post.

Stolowitz Gets Offered a Plea Deal

Here is part of the plea deal the U.S.A.O. offered Stolowitz for the Southern District of Florida.

  1. The defendant agrees to plead guilty to the sole count of the Information charging defendant with a violation of Title 18, United States Code, Section 1030(a)(2)(C).
  2. The defendant further understands and acknowledges that, as to this count, the Court may impose a statutory maximum term of imprisonment of up to 1 year and a term of supervised release of up to 1 year. Further, the defendant understands that the Court may impose a fine of up to $100,000.  The defendant further understands and acknowledges that a special assessment in the amount of $25 will be imposed on the defendant.  The defendant agrees that any special assessment imposed shall be paid at the time of sentencing.

That’s some “deal,”  isn’t it, for someone innocent?  The “factual proffer” made no mention that Stolowitz was involved in whistleblower behavior.

Stolowitz declined the deal and retained Tor Ekeland to defend him in collaboration with Matthew Ladd. In correspondence between the USAO’s office and Ekeland, the Assistant USAO wrote, in part:

I do not believe the facts are in dispute. In short, Stolowitz learned of a (non-guessable) backdoor URL for his employer’s website. After his termination, Stolowitz used the backdoor URL without authorization  to access personal health information. Specifically, Stolowitz downloaded over 50,000 people’s personal health information onto a thumb drive that Stolowitz maintained at a storage unit. A few months later,  the FBI conducted a search warrant at Stolowitz’s residence. Stolowitz  directed the FBI to the thumb drive. The forensic analysis indicated  that Stolowitz’s computers appear to have been wiped.

I assume the dispute is a challenge to the legal applicability of 1030  to these facts…..

Well, that’s one way to frame it, but one person’s “(non-guessable) backdoor URL” is another person’s “publicly available and accessible unsecured URL.”

Ekeland responded with a memo for discussion purposes: “WHY URLS ARE NOT PASSWORDS.” That memo is embedded below this article with Stolowitz’s and Ekeland’s permission.

Despite Ekeland’s September 2018 memo, the USAO’s deliberations dragged on until June 25, 2019, when Ladd submitted a filing by the DOJ in April of 2019 from a case with a similar fact pattern. Less than 15 minutes later, Stolowitz’s counsel received a reply that DOJ was not going to prosecute Stolowitz: “We have declined this case. Feel free to reach out to the agent for his property.”

Did they decline the case that quickly after reading that DOJ filing, or had they already decided to decline prosecution but didn’t get around to telling Stolowitz until his attorney emailed them again? DataBreaches does not know. Either way, the threat of federal prosecution was over.

But could Stolowitz be compensated for what he went through?

Stolowitz Sues Nuance

Marc Stolowitz

In January of 2022, Stolowitz filed a civil suit against Nuance, alleging malicious prosecution, defamation, fraud, retaliation, and common law invasion of privacy.  His complaint was dismissed with prejudice.

It may be incomprehensible to those with a sense of fairness that someone could be falsely accused of a crime, have to spend thousands of dollars on lawyers to help them, and have their reputation smeared, only to be told that there was no harm because they were never actually charged criminally.  There is no compensation for the emotional toll of having a possible federal prosecution hanging over your head? A firm falsely accused you of accessing files without authorization and started your entire ordeal, yet they do not have to compensate you at all? This is justice?

The HIPAA Complaint

Stolowitz filed his whistleblower complaint in December 2019. He received a letter that HHS consolidated his complaint with an investigation they had opened after receiving a report on the incident from one of Nuance’s clients. The closing note on that entity’s report reads:

On February 27, 2018, the covered entity (CE), Artesia General Hospital, notified OCR of a breach by its business associate (BA), Nuance Communications/Fast Health, that occurred from November 20, 2017, to December 9, 2017, when Nuance’s computer server was taken offline. The electronic protected health information (ePHI) involved in the breach consisted of approximately 864 patients’ names, dates of birth, diagnoses, and other treatment information. OCR opened an investigation of the CE to determine compliance with the Privacy Rule’s BA contract requirements. The CE provided the BA Agreement (BAA) with Nuance and OCR determined that the BAA appears to comply with the requirements specified in the Privacy Rule. OCR opened a separate review of the BA.

Stolowitz has received no further update from HHS since the notice of consolidation.

DataBreaches could find no breach report to HHS by Nuance Communications on HHS’s public breach tool. This may indicate that all affected covered entities made their own reports to HHS, or it may mean that HHS has not posted Nuance’s report while the firm may still be under investigation.

DataBreaches reached out to Nuance to request an interview about the Stolowitz matter and HHS investigation but received no reply.


URLS Are Not Passwords 2018-09-27 US v Stolowitz FINAL (2)

About the author: Dissent

Comments are closed.