n 2016, Uber suffered a data breach affecting the personal information of 57 million drivers and customers. Uber did not announce the breach until November 2017. In August 2020, the United States Department of Justice (DOJ) filed a criminal complaint against Joseph Sullivan, Uber’s Chief Security Officer at the time of the breach. The DOJ has charged Sullivan with obstruction of justice and misprision of a felon for his alleged role in concealing the 2016 breach.
According to the complaint, two hackers notified Sullivan that they hacked and downloaded a database housing personally identifying information for Uber drivers and customers. The hackers told Sullivan they would keep quiet about the breach if Uber paid them $100,000 in bitcoins.
The complaint accuses Sullivan of concealing the breach from the Federal Trade Commission (FTC): paying the hackers for their silence; asking the hackers to sign non-disclosure agreements that falsely stated that the hackers did not take any data; and concealing the breach from Uber’s management team. An update to the executive team about the 2016 breach said:
Our common story has to be:
- This investigation does not exist.
- We are doing this in order to better protect our information.
In November 2017, Uber’s new CEO disclosed the breach to the FTC and to the public – long after breach notification was due.
While Uber is not a healthcare provider bound by HIPAA, the concept is the same: Data breach laws require timely notification. Skirting these laws can cause more financial and reputational harm than the breach itself and, in Uber’s case, lead to criminal charges. A Google news search for “Uber criminal charges” yields 115,000 results. It’s not easy to put that level of bad press back in the bottle.
It can be tempting to sweep breaches under the rug, cross our fingers, and hope the breach will not be discovered. But be careful. The Uber complaint is a prime example of how wrong things can go when breaches are not brought to light. The reputational damage of timely disclosing a breach is most likely far less damaging than the harm from concealing a breach.
Breaches are inevitable, especially in healthcare. But they are also an opportunity to show your customers respect – with both your timely notice, and with your mitigation efforts.