[ManBlanket]

I worked for a government contractor and I understand that behavior completely. The person you spoke with was tasked specifically with damage control. I am positive _somebody_ was grateful for your input, but those people aren't tasked with chatting on the phone. I know because I was dispatched for fixing and quantifying the scope of a similar issue, where a URL was allowing users to download treatment plans of other users. Being healthcare this is taken rather serious. While I was happy to fix the problem and grateful someone reported it, I was tasked with regularly reporting the progress of my work and scope of the breach throughout the incident. My only irk with the person who reported it was that they literally called the governor of the state after casually browsing hundreds of treatment plans, when they could've just called IT support. But yeah, I didn't talk to to them, a low-level IT lackey was given that task while I fixed the problem.

Oy vey, that was a mess though. Breaches happen, everyone knows it, even companies dealing with PHI that are beholden to crazy HIPAA fines. My report ended up conflicting with a bunch of dates a former supervisor, who at that point wasn't even involved in the department, had knowingly misrepresented to the state. After the fix was merged and I documented the whole scope of the breach, I go and look at the emails and reports on the matter. She's gone told the state all about the scope of the breach, misquoted release dates of the fixes, just minimized a bunch of things with which my report directly conflicted. This person who wasn't in our department anymore shouldn't have even been involved in the first place, yet here I am looking at publishing a report that'll land her in trouble. It put me in a difficult spot. I didn't want to get her in trouble and I thought about misrepresenting my own report. In the end I figured she made her bed, my report was the definitive statement on the matter and her emails were largely reactive so maybe they'd just forget what she said. It was, and they did.

The most important thing you need to do during a breach is be honest. On the other end be vocal and trust in the fact what you're doing is ultimately helpful. The government doesn't want to fine businesses. The only thing that'll end up screwing a company is if they're found to be negligent or dishonest. Negligence is easy to avoid because all you need to do is reasonably try to fix the problem once you've been made aware of it. Dishonesty on the other hand is a foot... that like a diaper-bound chubby baby, some people can't help shoving into their mouths. Don't throw IT under the bus though man, even if that guy on the phone was rude there were some good people on the matter. Some people just don't know how to act when they're caught up in a problem.