The City of Fullerton today admitted that they broke multiple laws in how they utilized Dropbox to illegally store what they claim are private and confidential files.
A few weeks back my attorney submitted a records request which the city just partially responded to today with any substance. There’s a lot of legal nonsense and lawfare going on here but one thing stood out related to Dropbox.
This is interesting because the Federal Department of Health and Human Services has very strict rules governing how you can and cannot store & transmit health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The two important issues here are known as the HIPAA Privacy Rule and the HIPAA Security Rule.
Basically you have to be smart in how you store personal medical files. To facilitate this Dropbox uses what is known as a Business associate agreement (BAA) which constitutes a contract. NOT ONLY do you have to sign this contract (electronically is fine) but it also, according to Dropbox’s terms, “must be in place before the transfer of [Personal Health Information] PHI from the covered entity to the business associate”.
The user, in this case the City of Fullerton, would also need to make sure THEY THEMSELVES comply with Federal Laws related to PHI.
Had the City of Fullerton’s attorneys done their job they would have seen this in the “getting started with HIPPA guide” from Dropbox:
“If your team handles Protected Health Information (PHI), you can configure your account so folders, links, and Paper docs can’t be shared with people outside of your team. When team members create shared folders, they can further customize the folders’ settings and choose the appropriate level of access — edit or view-only”
But wait – aren’t we being sued in part because we allegedly went to the City of Fullerton’s Dropbox account and “illegally” accessed files and information including personal heaslth records?
The City Council sure seemed to think that was the case. Back on 14 November 2019, City Council Member Ahmad Zahra asked me the following on Facebook (emphasis added):
“However, I’d like to ask you a question: Regardless of how or why it was obtained, do you hold in your possession any private and confidential city employee information that includes social security numbers, health records or other personal information?”
How would that be possible unless the City of Fullerton, who only alleges we accessed their Dropbox account, put such files into said Dropbox folder?
Because that’s exactly what they did – according to their own court filings they put these records into an unsecured Dropbox folder they opened up to the world.
And furthermore, according to the City’s most recent court filing which was filed today:
“The City was unaware Appellants were accessing materials not intended for them to which the City had not specifically directed them or given them permission to access.”
That ALONE ignores basic access controls in clear violation of the HIPPA Security Rule:
“The standards require covered entities to implement basic safeguards to protect electronic protected health information from unauthorized access, alteration, deletion, and transmission.”
They city admits to putting PHI online and not verifying who was accessing, or even who had access, to such information. But at least they took the security of the files themselves seriously in compliance with State & Federal laws, correct?
Not even close.
“Unfortunately, City staff reused passwords, so that passwords to other files and folders within the City’s Dropbox account, to which Appellants were not given direction or permission to access, could be guessed by Appellants.”
“Reused passwords”. Let that sink in for a minute. Yeah, total violation of Federal HIPPA laws.
Because Dropbox requires a Business Associate Agreement BEFORE you can place Personal Health Information on their servers, and the City claims they have no such agreement (ie contract) AND that they didn’t follow Dropbox’s access requirements, then they are in violation of the Computer Fraud & Abuse Act of 1986 (CFAA) & the state variant (CDAFA) for being, and I quote with a great bit or irony, in “excess of authorization”.
Jones & Mayer opened the City of Fullerton up to an unknown number of lawsuits with their wanton disregard for the most basic of security protocols.
On top of the hacking crimes against Dropbox, this is a Department of Health & Human Services Civil Rights lawsuit waiting to happen. No wonder Jones & Mayer are spending so much time papering the courts with bullshittery to hide their illegal actions and gross incompetence from the City. It’d be a real shame if the impacted people, who the city was legally required to notify, were to file federal complaints over Privacy [HERE] or Security [HERE] against Fullerton.
As an aside, the city claims emails referencing “dropbox,” “cityoffullerton/com/outbox,” “Fullerton!,” “Full3rtOn!,” or “synoptek” from 2015 to 10/24/2019 yielded 9,700 results. Even AFTER excluding “Fullerton!” & “Full3rtOn!” owing to the wildcard nature of the “!” they claim 9,700 results and they want about $21,000 to sort and redact them. They totally weren’t sharing this information we “hacked” far and wide. Right.
This is yet another example of how the City of Fullerton wastes your money. The cost to sue us is a colossal waste to taxpayers for the sole purpose of covering up the City Attorney’s mistakes and the impending lawsuits over HIPPA will likewise come out of your taxes without a single bureaucrat or attorney being held accountable for their crimes/incompetence.