By Santiago Mejia
City College instructor Sam Bowne filed a federal complaint against LSU Health Center New Orleans (University Health) for allegedly violating his rights under the Health Insurance Portability and Accountability Act’s (HIPAA) retaliation policy.
The complaint was filed Aug. 29 to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
If found at fault, University Health may be fined anywhere from $100 to more than $25,000 by the HHS, depending on the violation found by HSS.
Bowne, who teaches ethical hacking and network security, said he filed the OCR complaint after University Health released an alleged misleading press release on Aug. 19.
The press release stated University Health “experienced a computer security breach” and that Bowne was “demonstrating potential vulnerabilities of computer system(s) to his class.”
The News-Star, a Louisiana-based newspaper, with reports of 3.5 million online page views a month, published a story on the incident with the alleged misleading press release.
SC Magazine, which produces news content on information technology and IT security, cited The News-Star and published its own story titled “Professor hacks University Health Conway in demonstration for class.”
“I did not ‘hack’ anything, or ‘demonstrate’ anything in a class,” Bowne said, in an Aug. 29 web post. “I was not even teaching any classes at (the) time. The allegations are baseless, false, and libelous.”
Bowne said he used Google’s search engine to find University Health’s publicly exposed data. He sent his findings in an email complaint to their HIPAA compliance office on June 17, to inform them of their security problems.
According to HIPAA, anyone can file a complaint and entities cannot retaliate against a person for doing so.
In the email complaint, Bowne listed security problems from compromised FTP servers,a common way to transfer files on the Internet from one computer to another, to dozens of publicly exposed files containing medical data of more than 6,000 patients.
He noted that these problems have been exposed for at least a year.
“Please alert your technical and legal staff. I am happy to answer any questions you may have,” concluded Bowne’s complaint.
University Health officials never replied to the complaint, but instead released the “fabricated story” to the press.
Following the press release and news stories, Definitive Data Security founder John Poffenbarger sent an email to City College officials encouraging them to address the matter and suggested a formal investigation against Bowne.
Poffenbarger cited SC Magazine as his source of the incident.
“My employer was then requested to censure me for this falsely alleged criminal activity,” Bowne said. “This was vicious and dishonest retaliation against me for reporting the HIPAA violation (on June 17).”
University Health’s press release stated that HIPAA requires them to inform individuals affected and the media of the event, but Bowne suggests that the way the press release was written violates the HIPAA retaliation policy.