Fullerton Admits to Criminal Incompetence

The City of Fullerton today admitted that they broke multiple laws in how they utilized Dropbox to illegally store what they claim are private and confidential files.

A few weeks back my attorney submitted a records request which the city just partially responded to today with any substance. There’s a lot of legal nonsense and lawfare going on here but one thing stood out related to Dropbox.

CPRA Fullerton Dropbox Response
No contract you say?

This is interesting because the Federal Department of Health and Human Services has very strict rules governing how you can and cannot store & transmit health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The two important issues here are known as the HIPAA Privacy Rule and the HIPAA Security Rule.

Basically you have to be smart in how you store personal medical files. To facilitate this Dropbox uses what is known as a Business associate agreement (BAA) which constitutes a contract. NOT ONLY do you have to sign this contract (electronically is fine) but it also, according to Dropbox’s terms, “must be in place before the transfer of [Personal Health Information] PHI from the covered entity to the business associate”.

The user, in this case the City of Fullerton, would also need to make sure THEY THEMSELVES comply with Federal Laws related to PHI.

Had the City of Fullerton’s attorneys done their job they would have seen this in the “getting started with HIPPA guide” from Dropbox:

“If your team handles Protected Health Information (PHI), you can configure your account so folders, links, and Paper docs can’t be shared with people outside of your team. When team members create shared folders, they can further customize the folders’ settings and choose the appropriate level of access — edit or view-only”

But wait – aren’t we being sued in part because we allegedly went to the City of Fullerton’s Dropbox account and “illegally” accessed files and information including personal heaslth records?

The City Council sure seemed to think that was the case. Back on 14 November 2019, City Council Member Ahmad Zahra asked me the following on Facebook (emphasis added):

“However, I’d like to ask you a question: Regardless of how or why it was obtained, do you hold in your possession any private and confidential city employee information that includes social security numbers, health records or other personal information?”

How would that be possible unless the City of Fullerton, who only alleges we accessed their Dropbox account, put such files into said Dropbox folder?

Because that’s exactly what they did – according to their own court filings they put these records into an unsecured Dropbox folder they opened up to the world.

Health Records on Dropbox

And furthermore, according to the City’s most recent court filing which was filed today:

Unaware of Access
They just ignored basic security because… reasons

“The City was unaware Appellants were accessing materials not intended for them to which the City had not specifically directed them or given them permission to access.”

That ALONE ignores basic access controls in clear violation of the HIPPA Security Rule:

“The standards require covered entities to implement basic safeguards to protect electronic protected health information from unauthorized access, alteration, deletion, and transmission.”

They city admits to putting PHI online and not verifying who was accessing, or even who had access, to such information. But at least they took the security of the files themselves seriously in compliance with State & Federal laws, correct?

Not even close.

Reused Passwords
Reused Passwords.

Unfortunately, City staff reused passwords, so that passwords to other files and folders within the City’s Dropbox account, to which Appellants were not given direction or permission to access, could be guessed by Appellants.”

“Reused passwords”. Let that sink in for a minute. Yeah, total violation of Federal HIPPA laws.

But wait, there's more!
But wait, there’s more!

Because Dropbox requires a Business Associate Agreement BEFORE you can place Personal Health Information on their servers, and the City claims they have no such agreement (ie contract) AND that they didn’t follow Dropbox’s access requirements, then they are in violation of the Computer Fraud & Abuse Act of 1986 (CFAA) & the state variant (CDAFA) for being, and I quote with a great bit or irony, in “excess of authorization”.

Jones & Mayer opened the City of Fullerton up to an unknown number of lawsuits with their wanton disregard for the most basic of security protocols.

On top of the hacking crimes against Dropbox, this is a Department of Health & Human Services Civil Rights lawsuit waiting to happen. No wonder Jones & Mayer are spending so much time papering the courts with bullshittery to hide their illegal actions and gross incompetence from the City. It’d be a real shame if the impacted people, who the city was legally required to notify, were to file federal complaints over Privacy [HERE] or Security [HERE] against Fullerton.

As an aside, the city claims emails referencing “dropbox,” “cityoffullerton/com/outbox,” “Fullerton!,” “Full3rtOn!,” or “synoptek” from 2015 to 10/24/2019 yielded 9,700 results. Even AFTER excluding “Fullerton!” & “Full3rtOn!” owing to the wildcard nature of the “!” they claim 9,700 results and they want about $21,000 to sort and redact them. They totally weren’t sharing this information we “hacked” far and wide. Right.

This is yet another example of how the City of Fullerton wastes your money. The cost to sue us is a colossal waste to taxpayers for the sole purpose of covering up the City Attorney’s mistakes and the impending lawsuits over HIPPA will likewise come out of your taxes without a single bureaucrat or attorney being held accountable for their crimes/incompetence.

14 Replies to “Fullerton Admits to Criminal Incompetence”

  1. These people are so egregiously unlawful, especially Hamel and the Fullerton Police Department. They have ruined lives and are responsible for the early deaths of two seniors citizens, and many others. The City, and the Police department, ‘the swamp’ needs to be cleaned up and held accountable. The victims need to be compensated for there losses, without anymore bullshit, lies and or deceit.

    The City of Fullerton admits they broke multiple laws, now its time to take responsibility and pay. Justice needs to happen for all who have been harmed by the City and the Fullerton Police Department. In addition these attorneys who get rich off of the City representing these unlawful people, they must be held accountable as well and do the right thing. They are just as guilty representing these unlawful people, they know the truth and have been getting away with murder, along with lining their pockets with tax payer money, do the right thing! and you know who you are.

    In the final analysis, it will get much worse these people who have caused such pain and suffering for these victims, and all involved if they do not do the right thing.

    PS: (One of the Fullerton’s attorneys already committed suicide involved with the corruption of Fullerton). If this is not a sign, I don’t what is.

    God Bless you Josh for your fight and not giving up, Justice will happen for you and your family. Keep the faith.
    .. ..

  2. Unbelievable! Now the City’s corrupt law firms being uncovered- Hold on the ride has just begun. Anyone else please step forward it’s high time someone let some light in on all the darkness. What an outrageous way to spend the people’s money. Couldn’t we just have more fruit festivals ?

  3. There needs to be an independent audit of the city’s financial accounts. Follow the money trails and the corruption will be factually shown. Then throw all those criminals involved in prison where they belong.

      1. More is involved than just paying the out government’s union members exorbitant pensions/salaries, which is considered legal and transparently allocated to the majority of the yearly budget. What needs to be investigated are the taxes paid for unfulfilled promises to fix the infrastructure, the new water tax plus obvious corrupt kickbacks going on from conflicts of interest. This is all stealing from the taxpayers. Also, who is responsible for the negotiating and approval of the union contract deals? Make our city government accountable.

        1. A lot to root out. Like all the shoddy construction and mismanaged projects. The incompetence is remarkable.

        2. 100 !! perfectly spoken. Appears that some are fired, asked to leave with sign/trade deals. They must have a long line of fake pensions lined up and cover each other till the brutal end. Is the end in sight or more innocent hurt and money stolen?

  4. As much as I hate tax dollars being used to pay off legal claims, I really hope you sue and win a LOT of money and that the council fires the executives in charge of screwing up and hiding the truth.

  5. If a lawsuit was filed against the City for publicly sharing confidential employee data, are the affected employees eligible to file a class-action for being victims of the City’s negligence?

    We see this frequently with corporate data breaches (TikTok, Target, Equifax, etc.) and victims are offered settlements … albeit anywhere betwen $10 to $200, but still… it’s messed up that FFFF and possibly others have accessed confidential employee information and no one has been held accountable for it.

    1. They’re trying to hold the WRONG people accountable. Zahra, Silva, Fitzgerald and Flory. The axis of evil meets the the two stooges.

Leave a Reply

Your email address will not be published. Required fields are marked *