Earlier this week we reported on personal data surrounding healthcare professionals working for SOCOM being leaked online. Since then, Potomac Healthcare Services has responded with several statements as they looked to get control of the situation.
Monday
On Monday Potomac Healthcare Solutions said: “We are aware of the report from an independent security researcher alleging an unauthorized exposure of sensitive government information. Upon learning of the allegation, we immediately initiated an internal review and brought in an external forensic IT firm for additional support. While our investigation remains ongoing, based on our initial examination, despite these earlier reports, we have no indication that any sensitive government information was compromised. The privacy and security of information remains a top priority, and we will continue to work diligently to address any issues or concerns.”
Thursday
That review has now been completed and we received an email last night with the results of their investigation. It said: “As a follow-up to the initial communication on this issue, Potomac Healthcare Solutions, with support from an external forensic IT firm, has completed its investigation of a security incident involving the unauthorized access of one of our internal servers. Despite earlier media reports, our review, which was immediately initiated after the initial questions were raised, has confirmed that the impacted server did not contain any classified government information or protected medical or personal data related to active duty military personnel or their families.
“However, the affected server did contain files with data of a limited number of current and former Potomac employees’ personal information. While we have no evidence to suggest that any employee information has been used inappropriately, Potomac is in the process of proactively reaching out to impacted employees to provide guidance on how they can protect themselves and is offering complimentary credit monitoring and identity theft protection services to affected individuals. The privacy and security of personal information is a top priority, and we are committed to taking steps to prevent this type of incident from occurring again in the future.”
A carefully worded response
We asked Chris Vickery, who runs the Security Watch column at MacKeeper and who discovered the breach, for his take on this response. This is what he had to say: “Potomac is downplaying the incident. My claims were never that active duty soldier personnel files were exposed. Potomac appears to now be corroborating what I reported, albeit with carefully chosen wording. Private information of healthcare professionals working in sensitive positions was indeed exposed.”
It is also noticeable that the time delay reported by Vickery when he reported the breach is glossed over. As we said in our original article, the delay could have been caused due to problems with internal processes. When it comes to IT security issues reported by an outsider, who do you hand the information to? It’s not just outsiders, many companies struggle with how to correctly handle reports from their own staff.
The Potomac Healthcare Solutions response also avoids any mention of the cause of the problem. They do say they are taking steps to avoid a repetition but that’s a pretty stock comment you’d expect.
Conclusion
Despite the omissions and careful wording Potomac Healthcare Solutions should be given some credit here. They’ve publicly responded to the issue, conducted a review with an outside agency and published a quick response from that. Very few companies do little more than apologise and publish links to credit reference and fraud agencies. For serving members of the US Armed Forces working at SOCOM, the fact that their data was not exposed will come as a relief.