Security experts trying to tell a rural hospital that a pile of its sensitive data belonging to staff and possibly patients sits exposed on the Internet have been stymied for five days now by the fact that no one at the medical facility will respond to their repeated warnings.
Moreover, says one of the experts, this kind of situation happens with alarming regularity.
"This is more commonplace than you might suspect," says a healthcare professional who volunteers for the Open Security Foundation and blogs about privacy issues under the pseudonym Dissent Doe. "I've gone through hoops trying to notify various city agencies at times, and have gotten no responses to attempts to alert a major Canadian newspaper, a major U.S. health insurer where patient info was available on the web if you knew where to look, and a number of small businesses. And those are just the ones I can recall offhand."
In the case of the rural hospital - which Dissent Doe isn't naming out of concern that its server is still vulnerable - she and another OSF member have made multiple phone calls, filled out a formal (outsourced) service desk ticket addressed to the hospital's sysadmin and technical analyst, and sent a direct email to the hospital's CEO.
They've gotten no response.
"The data were dumped on one of the ever-popular paste sites for hackers. Some of the data appear to be from their physician directory, which is no big deal. But there are other databases dumped that contain personally identifiable info such as contact details. One of the databases might be of newsletter subscribers. The other one... well, I have no clue. There are also a few names with email addresses, usernames, and encrypted passwords. I don't know whether those are admin passwords to the server."
Dissent Doe is trying one more approach to get the hospital's attention.
"I did speak with a reporter local to them who will be contacting them," she says. "My hope is that they'll take a phone call from a reporter if they won't respond to us. At least that way they'll find out they have a problem."
Contacting the local press is always an excellent idea, no matter the issue involved.
Dissent Doe's blog post on the OSF website gets into more detail about her efforts to contact the hospital and also offers a list of best practices for organizations that would like to be more responsible.
"Every hospital tells patients that they take the privacy and security of their information seriously," she writes. "I wouldn't believe them if they don't respond to security alerts and make people jump through hoops just to try to inform them that they may have had a breach involving personal information. And I certainly wouldn't believe any hospital that doesn't even return a phone call when you have left them a message that they may have a security problem with their public-facing server."
(Update: According to a story in the Pittsburgh Tribune-Review, the facility in question is Uniontown Hospital, whose VP of HR and marketing says they were already aware of the breach and had rectified it. Even if that's true, Dissent Doe notes: "Of course, that doesn't explain why they didn't have the courtesy to respond when they could see that we were trying to alert them.")