BreachExchange mailing list archives
Warren Hospital can ask Internet service provider to identify hackers
From: Erica Absetz <erica () riskbasedsecurity com>
Date: Mon, 8 Apr 2013 13:39:35 -0400
http://www.nj.com/warrenreporter/index.ssf/2013/04/warren_hospital_can_ask_intern.html One or more people who allegedly hacked a hospital computer network may no longer hide their identities behind the anonymity of their computers, according to a ruling from The Appellate Division of the New Jersey State Superior Court. The court overturned a decision by the lower court to quash a subpoena issued by Warren Hospital. The hospital is seeking the identities of one or more people who spread defamatory messages by allegedly hacking into the hospital’s computer network. The hospital tried to find out the identity of the alleged hacker through the Internet service provider but a superior court judge quashed the subpoena. “We conclude that the trial judge erred in protecting the anonymity of the alleged hackers,” the appellate judges wrote in their published opinion, released on April 5. Since the opinion is "published" it could be used in setting precedent for similar cases. According to the hospital’s complaint, which was filed on Sept. 1, 2010, — “John Doe One,” an anonymous hacker, accessed Warren Hospital's website on Aug. 17, 2008 and unlawfully and without permission logged onto the hospital's secure mailbox. The hacker then composed and sent to all hospital employees an email with a link to a YouTube video. Both the message and the video compared one of the individual plaintiffs to Adolf Hitler and other dictators, according to court records. The same day, the hospital intranet was invaded by someone using a different IP address, according to court records. "We conclude that the trial judge erred in protecting the anonymity of the alleged hackers." The hospital, affiliated organizations and some individual employees filed suit in light of these incidents. On Oct. 19, 2009, an anonymous hacker using a third IP address allegedly accessed the hospital's website. Using an employee's mailbox, the hacker then allegedly composed and sent an email to all hospital employees accusing more than one of the individual plaintiffs of sexual misconduct and other wrongdoing. The hospital claims these statements are “defamatory or otherwise tortious,” according to court records. To obtain information about the true identity of the fictitious defendants, plaintiffs served subpoenas on four Internet service providers. On Feb. 27, the last of the motions to quash was granted and the case was dismissed. The hospital appealed and the case has now been reactivated. The appellate judges cited several articles written in recent years regarding the balance of protecting free speech and providing remedies for people being victimized by anonymous sources spreading false and damaging information. The anonymity of the online world allows anyone to speak out about fraud from the safety of a computer. “But a click of the mouse may also instantaneously send defamatory messages to a wide audience, causing great harm to the reputation of others. To the extent these speakers choose to remain hidden behind their computers, difficulties are posed for injured individuals who seek redress,” the appellate judges wrote. The judges wrote that the circumstances in this case were different than people posting anonymously on a public online message board. The hospital argued that what the hacker or hackers did electronically was no different than if they had broken into the hospital and spray painted their messages on the hospital's walls. The appellate judges agreed that the hospital has the right pursue discovery into the identities of the hackers as a result of their Aug.17 and Oct. 19, 2008, actions. The Internet service provider companies feared that the discovery the identities of the hackers may provide insight into the identities of some of those who made other anonymous statements referred to in the amended complaint, the judges wrote. “We find that to be of little concern. If the discovery we now permit reveals that John Does One and Two also uttered other statements in less wrongful or even completely innocent ways — or the revelation of their true identities may lead to a discovery of the identities of other anonymous speakers — then that is a consequence of John Doe One and John Doe Two's alleged wrongdoing,” they wrote. The matter has been referred back to superior court to deal with the subpoena of just one of the ISPs. It was not clear which hacker, if there is more than one, is a client of that ISP. A case management conference is scheduled for April 26. _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- Warren Hospital can ask Internet service provider to identify hackers Erica Absetz (Apr 09)