The type of organization that would store HIPPA encumbered data unencrypted, which based on my brief reading is not legal anymore, is not one that would operate in a reasonable (or legal) manner. Sadly, that seems to be most organizations that fall under HIPPA, compliance is a box to be checked while expending as little resources and effort as possible.

How they reacted to your kind action is sad, and depressingly common. I hope you told them to pound sand, and contacted whoever the data protection authorities were in your state. There needs to be much more aggressive enforcement of HIPPA and similar data protection laws, CYA bull like you encountered should not be happening.

Article I ran across: https://info.townsendsecurity.com/bid/74330/Does-HIPAA-Requi...

Guys, it's HIPAA not HIPPA.

This is an interesting case. I always pronounced HIPAA as "hee-pah". That has the advantage of approximating the spelling, but the disadvantage that it's not really a natural way for an English word to be pronounced.

People in the medical field, who deal with HIPAA all the time, pronounce it as if it was spelled HIPPA. It's a short step from there to actually spelling it HIPPA.

Did you actually give them that clone and sign the documents? Or did you give push back like in the article?

It feels to me like they shouldn't have much of a leg to stand on.

I did consider fighting them for about 7 minutes. Then I remembered that they had a legal team paid for by taxpayers, while I had a toddler and a pretty decent, mostly stress free life.

The laptop that I connected thier SSD to was my coding box, so I deleted all the code and secure erased the free space before they cloned it. They gave me shit about it too, because their forensic people saw days without any file activity. When I told them that it was because I removed my IP they responded with "why don't you think you need to do that? We can keep your data from falling into the wrong hands".

Maybe if I was some kind of an activist I would have tried to fight it.

“We can keep your data from falling into the wrong hands...” just like they did for that drive you found.

I don’t understand...

You found an drive, tried to return it and then we’re subject to an illegal search? Or you consented to a search that would have otherwise been illegal?

I consented to a search

I personally don’t consent to any searches. But I’m sorry you tried to help out and then we’re coerced into having your liberty taken.

Yeah it sucked. Lesson learned :P

Also, googled you. Here is a quote from your website: "I'm an american entrepreneur, inventor and __activist__" :)

Handling these kinds of things anonymously is the only reasonable way to protect yourself.

Is there a service that supports this? Like, get it to a security researcher, wipe it from your drive, and have the security researcher handle returning the data and providing a basic education (or reporting the data loss to the appropriate authorities.)

Just turn it in to the police anonymously, let them look at the drive.

Why would you ever reach out to the owner? Is patting yourself on the back really worth the risk?

To tell them about their huge security hole.

It will fall on deaf ears.