Warren Hospital can ask Internet service provider to identify hackers

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.nj.com/warrenreporter/index.ssf/2013/04/warren_hospital_can_ask_intern.html

One or more people who allegedly hacked a hospital computer network
may no longer hide their identities behind the anonymity of their
computers, according to a ruling from The Appellate Division of the
New Jersey State Superior Court.

The court overturned a decision by the lower court to quash a subpoena
issued by Warren Hospital. The hospital is seeking the identities of
one or more people who spread defamatory messages by allegedly hacking
into the hospital’s computer network.

The hospital tried to find out the identity of the alleged hacker
through the Internet service provider but a superior court judge
quashed the subpoena.

“We conclude that the trial judge erred in protecting the anonymity of
the alleged hackers,” the appellate judges wrote in their published
opinion, released on April 5.

Since the opinion is "published" it could be used in setting precedent
for similar cases.

According to the hospital’s complaint, which was filed on Sept. 1,
2010, — “John Doe One,” an anonymous hacker, accessed Warren
Hospital's website on Aug. 17, 2008 and unlawfully and without
permission logged onto the hospital's secure mailbox. The hacker then
composed and sent to all hospital employees an email with a link to a
YouTube video. Both the message and the video compared one of the
individual plaintiffs to Adolf Hitler and other dictators, according
to court records.

The same day, the hospital intranet was invaded by someone using a
different IP address, according to court records.

"We conclude that the trial judge erred in protecting the anonymity of
the alleged hackers."

The hospital, affiliated organizations and some individual employees
filed suit in light of these incidents.

On Oct. 19, 2009, an anonymous hacker using a third IP address
allegedly accessed the hospital's website. Using an employee's
mailbox, the hacker then allegedly composed and sent an email to all
hospital employees accusing more than one of the individual plaintiffs
of sexual misconduct and other wrongdoing.

The hospital claims these statements are “defamatory or otherwise
tortious,” according to court records.

To obtain information about the true identity of the fictitious
defendants, plaintiffs served subpoenas on four Internet service
providers. On Feb. 27, the last of the motions to quash was granted
and the case was dismissed.

The hospital appealed and the case has now been reactivated.

The appellate judges cited several articles written in recent years
regarding the balance of protecting free speech and providing remedies
for people being victimized by anonymous sources spreading false and
damaging information.

The anonymity of the online world allows anyone to speak out about
fraud from the safety of a computer. “But a click of the mouse may
also instantaneously send defamatory messages to a wide audience,
causing great harm to the reputation of others. To the extent these
speakers choose to remain hidden behind their computers, difficulties
are posed for injured individuals who seek redress,” the appellate
judges wrote.

The judges wrote that the circumstances in this case were different
than people posting anonymously on a public online message board. The
hospital argued that what the hacker or hackers did electronically was
no different than if they had broken into the hospital and spray
painted their messages on the hospital's walls.

The appellate judges agreed that the hospital has the right pursue
discovery into the identities of the hackers as a result of their
Aug.17 and Oct. 19, 2008, actions.

The Internet service provider companies feared that the discovery the
identities of the hackers may provide insight into the identities of
some of those who made other anonymous statements referred to in the
amended complaint, the judges wrote.

“We find that to be of little concern. If the discovery we now permit
reveals that John Does One and Two also uttered other statements in
less wrongful or even completely innocent ways — or the revelation of
their true identities may lead to a discovery of the identities of
other anonymous speakers — then that is a consequence of John Doe One
and John Doe Two's alleged wrongdoing,” they wrote.

The matter has been referred back to superior court to deal with the
subpoena of just one of the ISPs. It was not clear which hacker, if
there is more than one, is a client of that ISP.

A case management conference is scheduled for April 26.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.