Being notified of a data breach is never good news but nobody expects a company whose data have been exposed to be hard to contact.
And yet this is what happened when respected security researcher Troy Hunt was tipped off last week about a website that had accidentally left a directory containing 43,203 medical files in an unsecured state.
The files could be accessed using the directory’s URL but also, in nearly 7,000 cases, simply by plugging the address into Google, which had even helpfully cached its contents.
Hunt decided to contact the website owner, Indian laboratory company Health Solutions, but hit a dead end when published email addresses bounced back his messages as “user unknown” and he got no response using a contact form.
His urgent pleas for help contacting the company were noticed on Twitter by an Indian BuzzFeed journalist, who confirmed that the breached files were blood pathology reports for named Indian patients, some suffering from Aids.
When BuzzFeed eventually made contact with a Health Solutions, it received a confused, startled response.
The company said it was in the process of moving to a new website in January and could do nothing about the breach until then, saying: “Look, we are not the doctors, we merely do blood tests for patients. […] Maintaining doctor-patient privacy is not something that we as the lab are concerned with.”
On hearing of this response, Hunt described himself as “gobsmacked”. “How on earth can you leak this sort of data and just not care?!”
The confidential files remained accessible until BuzzFeed published its story on the breach on Friday, nearly two days later.
It was later reported that up to 35,000 of the 43,000 files related to patients.
How long had the files been exposed and how did the breach occur? In a separate interview, Health Solutions blamed the company hired to manage the website and admitted it could stretch back six months. Some of the files had been hacked, the company claimed, without elaborating.
Website data breaches have been a running theme for years. In October, Hunt discovered that the Australian Red Cross Blood Service had exposed 1.3 million records on its site, including his own and that of his wife.
Nevertheless, the cautionary tale from India raises issues that go beyond the fact that organisations sometimes get their security wrong.
On the basis of the reported exchanges, it seems that Health Solutions did not respond fast enough or even see the breach as its problem.
If the latter is the case, it is misguided. Sensitive data is always someone’s security problem, regardless of how many others might be subcontracted to handle it.