You shot the messenger and then needed her help? How did that work out for you?
Some readers might appreciate an update as to what happened when Bronx-Lebanon Hospital Center and iHealth Solutions sent legal threat letters to this site after I notified them and reported that they were leaking protected health information. As I previously noted, I was – and remain – very grateful to Covington & Burling for their representation of me and this site in the matter. Their entrance into the matter produced an immediate shift in the law firms’ tones from strident demands to requests.
But the story doesn’t end there, and this might be categorized under your “payback’s a bitch” category. Read on….
It seems that the hospital and vendor had also sent threat letters to Kromtech Security Research Center, who had discovered the leak. For reasons that are not totally clear to me, Kromtech quickly agreed to the lawyers’ request that they destroy all the data they had downloaded in their research.
Any relief the vendor and hospital may have felt over Kromtech’s cooperation was likely short-lived, however. Kromtech informed me that they were subsequently asked to to tell the entities which patients’ data they had downloaded so the entities would know whom to notify. But of course, Kromtech could not provide that information because they had deleted all the data in response to the entities’ first demand/request. D’oh?
Now the entities could just notify everyone who had PHI/PII on the server, of course, but it seemed like they were trying to narrow the universe to only those whose data wound up in Kromtech’s hands – or this site’s – or NBC News’ hands. And now Kromtech could not tell them which patients had data in the 500 mb of data they had downloaded and then destroyed.
But Kromtech had sent a subset of that data to DataBreaches.net, who had not destroyed the data it possessed. If DataBreaches.net wanted to be helpful, it could go through all the data and let the entities know which patients had data in there, right?
Would this be a good time to remind everyone that the entities had threatened me and this site?
And would it be important to point out that they never directly apologized to me for their heavy-handed threats?
I might have been able to spare the vendor and hospital some notifications if I was willing to donate my time to going through files to compile information for them, but I’m not willing.
I’m not willing, in part, because I do not want to be going through PHI if it’s not for my reporting purposes. And I’m not willing because why should I have to spend my valuable time compiling information for entities that tried to bully me and who now need my help to help them clean up their mess??
So what are the lessons that I wish entities and their lawyers would learn from all this?
- Don’t rush to send legal threat letters. What your mother taught you about catching more flies with honey than vinegar appears true here, too; and
- If you wouldn’t send a legal threat to the New York Times over their reporting, don’t send one to me. This site may be small, under-funded, under-staffed, and under-appreciated, but with the support of great law firms like Covington & Burling, this site will always fight back against attempts to erode press freedom or chill speech.