I’ve got a bit of a tale for you, chums. A harrowing story where truths were not perhaps spoken as straight as one would prefer. Gather round.
You see, on the 12th of November, our pals over at DataBreaches brought to light an OpEd that addresses the need for more transparency in the disclosure of data breaches. The focus, as you might guess, was on how organisations skirt around the truth, muddling what should be clear as crystal. It left one wanting.
Enter, stage left, a bit of a story to illustrate the point; a yarn about a health centre over in Texas, the Endocrine & Psychiatry Center. They had themselves a spot of bother, it seems. They revealed a breach of data discovered on the 15th of October, 2023, affecting a sum of 28,531 folks — or so it was claimed.
Now, these good people at the DataBreaches, they get a sniff of a story and they’re nose to the hound trail, I can tell you. So, off they went, determined to unmask the truth of the matter. They had a bit of first-hand gossip about this particular caper, so eyes wide open, they delved into the details.
The declaration from the Endocrine & Psychiatry Center’s external counsel, dated to “sometime prior to 03/20/2023”, was a touch suspect. It claimed that the patient data “may have been taken”, implying uncertainty around whether the breach was indeed a hack or something else.
The plot thickens, it seems. The real culprit was an unsecured blob discovered by an external researcher. Now, what’s a blob when it’s at home, you might ask? Well, it’s basically a chunk of data without a named owner. This humble researcher, finding no one to blame, took the trouble towards DataBreaches, who sensibly identified the owner.
This vigilant researcher had stumbled upon an exposed database with nearly 700,000 records left unlocked for God knows how long. Seems like a leak to me, not a hack at all! That nugget of knowledge was never shared in the breach notification, so no brownie points won there, I reckon.
Speaking of hanging one’s laundry out to dry, I should mention when DataBreaches got in touch with the Endocrine & Psychiatry Center to unveil this unfortunate debacle. The call was placed in March, a tasty bit of info that makes one’s eyes pop, doesn’t it? The supposed discovery date claimed was in October, a date that makes the tardy November notification seem quite prompt, but we know better now, don’t we? It seems there’s room to crack down on these fibbing dates of discovery.
And lastly, the figure of affected patients still sticks in the craw. Was it truly 28,531 individuals, or more? An impressively large database of 682,000 records was exposed; are we to believe the actual figure is fewer than 29,000?
Added to this muddle, the doctor’s lawyer stated that the doctor was still sifting through to figure out who exactly needed to be informed. A leaked patient list doesn’t exactly inspire confidence, does it?
We wind up here with a clear view of the state of affairs — woefully inadequate, if you ask me. How it came about that such important data was left out in the open like last week’s fish and chips remains puzzling.
The upshot of this all is that a casual teller of tales can see that there’s a need for more honesty and transparency. If the job of securing vital data is to be done right, then a spot more diligence is onward required. Here’s a good toast for you – to honesty, transparency, and secure data!
by Parker Bytes
