Security researcher discovers glaring problem with patient data system, FBI stages armed dawn raid
Justin Shafer was roused from his bed this week by thunderous knocking at his North Richland Hills, Texas home, and when he opened the door, found himself staring down the barrel of a 'big green' assault weapon, wielded by one of the 12-15 armed FBI agents on his lawn.
Shafer, a dental computer integrator and security researcher, had previously helped Databreaches.net to document failings in Henryshein Dental's widely used Dentrix software, which had been exposing sensitive patient data, despite the company's claims that they encrypted this data (they didn't). Schafer had also filed a FTC complaint that resulted in Henryshein entering into a consent degree with the Commission stipulating to the problems that Shafer had discovered.
Schafer had recently continued on his work by documenting vulnerabilities in Patterson Dental's Eaglesoft practice management software, which stored unencrypted patient records on a public FTP server. Schafer notified Eaglesoft of the breach in February, and worked with Databreaches to begin notifying affected practices about the patient data they were exposing to the public Internet. Once the data had been secured, Shafer went public with his information, notifying the 22,000 affected patients that their data had been public for many years, possibly since 2006. CERT and the DHS issued advisories about the software's defects, noting that Patterson had yet to take any steps to correct the situation, and had disclosed no plan to do so.
It appears that Eaglesoft asked the FBI to raid Shafer, alleging that his investigation of their vulnerabilities violated the Computer Fraud and Abuse Act, the law used to hound Aaron Swartz to his death, which makes it a felony to "exceed authorization" on a computer.
Shafer's children and wife were terrorized by the armed raid. The gun pointed at Shafer was only a few feet away from the crib where his baby slept.
So why was the FBI raiding Shafer and treating him like a dangerous criminal? The Daily Dot was unable to obtain a copy of the probable cause affidavit by the time of publication, and it may be under seal. But as one agent subsequently informed Shafer, it stemmed from an incident in February, when Shafer discovered another security vulnerability in dental records, this one a publicly available File Transfer Protocol (FTP) server operated by the team behind Eaglesoft, a dental practice management software. Eaglesoft is manufactured by Patterson Dental, a division of Patterson Companies. According to Shafer, he was researching an issue with hard-coded database credentials when a search for a password led him to an anonymous FTP server that allowed anyone access. When Shafer looked at the files on the publicly available server and saw a directory with patient data, he took steps to alert Patterson to secure the protected health information. The FBI was not, of course, there to commend Shafer for responsible disclosure. The agent told him that Patterson Dental was claiming Shafer had “exceeded authorized access” in accessing its FTP server, which is illegal under the CFAA. Attempts by the Daily Dot to contact Patterson by email, website contact form, and phone over the past 24 hours produced no responses.
FBI raids dental software researcher who discovered private patient data on public server [Dissent Doe/Daily Dot] (via Ars Technica) FBI raids dental software researcher who discovered private patient data on public server [Dissent Doe/Daily Dot]