Ask HN: What are my options after a responsible disclosure went wrong? I'm a parent looking for advice on next steps. My child's healthcare provider uses a third-party vendor for its patient portal. While using the portal, I discovered that simply changing the profile ID in my browser's developer tools (Inspect) caused another patient's information to be returned. I documented the issue and reported it to the healthcare provider. A month later, the provider emailed that the issue had been resolved and shortly after that, terminated my child's services. Their letter alleges I committed "unauthorized access" on four separate dates, including one where the provider asked me to provide proof of the issue, and says law enforcement confirmed my actions constituted criminal activity regardless of intent. I dispute that characterization. No law enforcement agency has contacted me. I've spoken with two attorneys, but the consensus seems to be that this is a legal gray area, and I haven't gotten much practical guidance. For those with experience in responsible disclosure or computer access law:
I'm not looking to debate the facts of the case; I'm trying to figure out the best path forward. |