Over a dozen FBI agents raided the house of Justin Shafer, 36, of Texas, a dental computer technician and software security researcher, who previously reported security issues in the software and server infrastructure of a US-based healthcare services provider,reports.
Prior to having his house searched and 29 items seized, Shafer had reported to Patterson Dental that their Eaglesoft dental practice management software was storing private patient records in a publicly-available FTP server.
Shafer discovered this while he was investigating the company’s Eaglesoft software. The researcher eventually found that Eaglesoft was using a hard-coded database password shared across all installations.
Shafer’s good deed doesn’t go unpunished
Shafer worked with DataBreaches.net to secure the FTP server with Patterson Dental and made his findings public in mid-February. The FTP server exposed the, and Shafer claims it has done so as early as 2006.
At the end of March, US-CERT also publishedon Patterson Dental’s Eaglesoft software issues, related to its hard-coded database credentials.
As it appears today, instead of thanking the researcher for his proper disclosure of a sensitive data leak, Patterson Digital filed a complaint with local law authorities about being hacked.
FBI agents told Shafer during the house search that Patterson Dental had claimed that he “exceeded authorized access” when researching the issue of the publicly-available FTP server.
The US has problems interpreting its “hacking” laws
This entire incident is another case of the US’ Computer Fraud And Abuse Act (CFAA), a piece of miswritten legislation that allows authorities to prosecute security researchers as they were criminals.
In a very simple explanation, this law would allow police to charge people as thieves after they find wallets on the street and return them to their owners.
Horrendous misinterpretations of the CFAA has led to the prosecution, and even conviction in some cases, of many security researchers. The most famous case is of Aaron Swartz, who after being badgered and harassed with overblown accusations, took his own life in 2013.
This is not Shafer’s first run-in with the healthcare industry. Previously, the researcher found out that Henry Schein was making false claims that its Dentrix G5 software was using encryption. Shafer’s findings led to another US-CERT alert, and.
We’ll be featuring a special story on the recently proposed CFAA reforms later on today.