From: security curmudgeon (jericho[at]attrition.org)
To: "Magarian, Edward" (Magarian.Edward@dorsey.com)
Cc: legal[at]attrition.org
Date: Fri, 12 Jan 2007 11:17:36 -0500 (EST)
Subject: Re: FW: Scanned document (2 pages ~55 KB) -- 1/12/2007 9:45:56 AM

: Enclosed please find a letter on behalf of my client Medica Health
: Plans.  I trust that we can quickly address and resolve this issue.  Ed
: Magarian

Hello,

Please find an e-mail on behalf of attrition.org:

We do not read PDF or DOC files from strangers. Please read
http://www.us-cert.gov/cas/tips/ST04-010.html for details.

Please re-send whatever this is in plain text, which is perfectly
acceptable (and safe) for all mail readers.

Jared E. Richo
attrition.org

From: security curmudgeon (jericho[at]attrition.org)
To: "Magarian, Edward" (Magarian.Edward@dorsey.com)
Cc: legal[at]attrition.org, denver@dorsey.com, carter.cheri@dorsey.com, 
    meltzer.curt@dorsey.com, media@medica.com
Date: Sun, 14 Jan 2007 02:26:11 -0500 (EST)
Subject: RE: FW: Scanned document (2 pages ~55 KB) -- 1/12/2007 9:45:56 AM


Hello Edward,

When I last replied, I added the appropriate address for contact regarding
this matter; myself and the legal[at]attrition.org address. You opted to once
again send this to several people that are not involved with the main
attrition.org web site and do not have access to update it. In return, I
am going to include some extra folks at Dorsey & Whitney LLP in our
dialogue. You may drop them from the CC if you also drop the irrelevant
attrition.org addresses in future correspondance.

:       Re: Medica Health Plans and Your Web Site attrition.org
:
: I have been retained by Medica Health Plans ("Medica") in connection
: with false and defamatory statements we learned you published about my
: client which can be found at [..]

: You have published and continue to publish to this day statements that
: Medica had a data loss on June 29, 2005 affecting 1,200,000 members
: related to "fraud."  This defamatory information has been picked up by
: other websites including www.emergentchaos.com.  These statements which

Your wording makes several implications that are simply false and
misleading. First, the information regarding the Medica breach originated
with an article written by Glenn Howatt of the Star Tribune, which was
originally located at http://www.startribune.com/stories/535/5481317.html.
The Star Tribune cycles their articles so that it now costs $2.75 to see
it, but the same article is still there in its entirety. The original
article has not been edited, revised or retracted as far as we can tell
(after paying the fee to see it). After that article, hundreds of other
web sites and mail lists 'picked up' on it and either republished it or
summarized the content. We (attrition.org) do not make false or defamatory
statements regarding Medica.

: have been republished are simply false and defamatory.

Given that you are a partner at Dorsey & Whitney LLP I assume that means
you are a lawyer. If so then you of all people should be aware of several
things related to your allegations. First and foremost, the article is not
defamatory toward your client.

  DEFAMATION - An act of communication that causes someone to be shamed,
  ridiculed, held in contempt, lowered in the estimation of the community,
  or to lose employment status or earnings or otherwise suffer a damaged
  reputation. Such defamation is couched in 'defamatory language'. Libel
  and slander are defamation. - http://www.lectlaw.com/def/d021.htm

Since the work in question is not spoken I will assume that you or your
client is claiming that the article is libelous. As best I know, and I am
not a lawyer, there are a few keep points of libel / slander; it must be
harmful, it must be untrue and it must be done with malicious intent.
Please feel free to quote the exact wording of the law if one of these
points is not true. That said, let's examine your claims:

: The issue referenced by your site had nothing to do with any member
: data, personal or otherwise, and there are no facts to support such an
: assertion.

Quoting from the Star Tribune article:

  Still, it took Medica's security investigators at least 45 days to
  detect problems and another 20 days before the company took direct
  action to stop the employee alleged to have done the most damage,
  according to court documents.

  [..]

  During that time, the system was sabotaged four times, limiting
  legitimate access by employees and vendors. Confidential business
  documents were copied, including personnel information about the
  information technology department as well as letters to outside
  attorneys concerning lawsuits, according to court documents.

  And even after Medica had identified the suspects, they erased the hard
  drives of their company laptops without interference, destroying
  critical evidence, according to court documents.

  [..]

  In the end, Medica did find the alleged perpetrators, and even though it
  is not completely certain about what information was downloaded, the
  evidence suggests that it did not include personal information about
  Medica members.

  [..]

  Medica said it has enough evidence to prove that the two former
  employees were responsible for the security breaches.

If you read these quoted portions, and further assume that Glenn Howatt
was not fabricating his information, it is abundantly clear that Medica
acknowledges the breaches and specifically says they are "not completely
certain about what information was downloaded" and that the remaining
evidence *suggests* personal information was not downloaded.

Just like I must assume your knowledge of the legal system is more
thorough than mine, you should probably assume my knowledge of computer
security and forensics is more thorough than yours. Since Medica
acknowledges that evidence was destroyed and they can't even ascertain
what information was stolen from their computers, there is basically no
chance that Medica will *ever* be able to say what happened with any
certainty, and the forensics will back my claim.

: Your publication of statements which expressly targets Medica with the
: stain of exposing or even allegedly exposing personal information of its
: 1.2 million members is false, defamatory, damaging and constitutes
: defamation per se.

We do not "expressly target" Medica in any way. Please re-read the URLs
you originally quoted and you will see that we collect information from
third parties regarding dataloss incidents, including possible breaches
(which Medica would classify as). According to the original article,
Medica says they can "not [be] completely certain about what information
was downloaded." So, how are they not certain what information was
downloaded, but now certain enough to claim that the Star Tribune article
is defamatory in saying that the information may have been breached?
Medica can't have it both ways.

: It is imperative that we move to address this defamation immediately
: before further damage is done to my client.  To start the process, you
: must remove any such reference to Medica from your materials and
: disclose to us whether you republished these false statements in any
: other materials.  We also expect your cooperation removing that material
: from other websites such as www.emergentchaos.com.

You were doing so well up until this point. You actually expect us to not
only do your job for you, but do so when there was no defamatory comment
made? Are you lazy or naive as to how the internet works? We have no
control over Emergent Chaos or any other web site out there. If you want
to know where the Medica information was posted to (in general, not
necessarily by us), then use Google (http://google.com) and search for the
title of the Star Tribune article. We can and will not assist you in
threatening other web sites to remove content.

The fact that you apparently haven't contacted the Star Tribune, as the
original source of this article, suggests you are randomly targeting sites
that you have a notion will cave in to legal threats. In addition to the
Star Tribune still publishing the article, this same information is
currently hosted by the Department of Health And Human Services (hhs.gov),
Frank Crystal & Co., Inc. (fcrystal.com), Cygnus Business Media
(securityinfowatch.com), Phoenix Health Systems (hipaadvisory.com),
California Health Care Foundation (ihealthbeat.org), World Privacy Forum
(worldprivacyforum.org), and *hundreds* of other sites on the internet.

Finally, in case it was not abundantly clear, the only statement that
attrition.org made regarding the Medica incident can be found on
http://attrition.org/dataloss/ in which we summarize:

   (System administrators may have had access to around 1.2 million member
    records)

Please note that in keeping with the information available in the article,
we specifically said "may have had access". That is the only comment that
we (attrition.org) made regarding the incident, and it is hardly
defamatory in nature. Further, it most certainly isn't made with malicious
intent or intent to harm Medica in any way.

: If you or your organization elect to retain counsel, please have that
: counsel contact me immediately.

At this point I see no reason to retain legal counsel. You have provided a
poorly justified letter with no legal foundation expressing your wish that
we remove content that is not defamatory and that we should further help
your company remove that content from web sites that we have no control
over.

: If you or your company elect not to retain counsel, then please contact
: me immediately so that we can discuss measures to attempt to mitigate
: the damage done.

Being a volunteer run security resource, attrition.org would love to be
able to discuss measures to attempt to mitigate the damage done. However,
to do this, we would need extensive information regarding Medica and their
network systems in order to help provide a security plan, security policy
and auditing services to help test the security of Medica to ensure they
are properly mitigating risks and vulnerabilities in their IT department.
Further, we would need physical access to all of the machines believed to
be compromised to do a complete forensic examination of them in order to
determine what information may have been compromised. Please have someone
from Medica contact me directly and we can work out a plan and
compensation to begin this process.

In the mean time, if you would share with us any correspondance between
the Star Tribune and Dorsey & Whitney LLP regarding this, specifically the
Star Tribune's acknowledgement that what they published was false and
defamatory, along with a copy of their retraction, we will immediately
post it on our site and consider removing the original article. Without
that, i'm afraid I can't see how anything we have done is false or
defamatory and I honestly don't understand how a registered lawyer in good
standarding with the Minnesota State Bar Association could claim this in
good faith.

Jared E. Richo
attrition.org

From: security curmudgeon (jericho[at]attrition.org)
To: "Magarian, Edward" (Magarian.Edward@dorsey.com)
Cc: legal[at]attrition.org
Date: Thu, 18 Jan 2007 20:43:03 -0500 (EST)
Subject: Re: FW: Attrition.org letter (fwd)


VIA E-MAIL

Dear Ed,

While these lengthy e-mails are sometimes amusing, it really is
unfortunate that you get to bill someone $250/hr to read and write them.
Every time I try to bill someone for my e-mail I get laughed at.

:  Thank you for your e-mail dated January 14, 2007.  Unfortunately, I was
: out of the office and out of state until today.  I have now had an
: opportunity to review your letter with my client.  I appreciate the
: lengthy explanation of how the letter ended up on your website.
: However, the explanation does not change two essential facts:  First,
: your response ignores two locations on your website containing the
: offending material.  Second, even if you believed the information
: contained on your site to be true at the time you published it, we are
: telling you now that there are no facts to support any allegation that
: Medica had a data loss on June 29, 2005 affecting 1.2 million members
: related to "fraud."

"You keep using that word. I do not think it means what you think it
means." -- Inigo Montoya

'Fact' is the key point here. Just to make sure we're on the same
page, let's refresh both of our memories on what a 'fact' is:

fact
     n 1: a piece of information about circumstances that exist or
          events that have occurred; "first you must collect all
          the facts of the case"
     2: a statement or assertion of verified information about
        something that is the case or has happened; "he supported
        his argument with an impressive array of facts"
     3: an event known to have happened or something known to have
        existed; "your fears have no basis in fact"; "how much of
        the story is fact and how much fiction is hard to tell"
     4: a concept whose truth can be proved; "scientific hypotheses
        are not facts"

That said, there are a few 'facts' that keep coming to my mind that you
and/or Medica seem to be forgetting:

1. The original article by Glenn Howatt of the Star Tribune is still
available on their web site, unedited, without retraction. Why? Have you
not contacted them about their alleged defamation? If you have, why hasn't
a retraction been issued? We offered to post that retraction and clear all
of this up if you or the Star Tribune would provide a copy. Failing that,
if Medica would like to provide us with a public statement regarding the
incident, the court case against the two former employees and a summary of
the digital forensic evidence that backs their statement, we will be happy
to publish it.

2. Quoting from the original article, "And even after Medica had
identified the suspects, they erased the hard drives of their company
laptops without interference, destroying critical evidence, according to
court documents." Unless the court documents that were filed are false or
unless the Star Tribune article made up this information, then the fact is
*evidence was destroyed* which lead Medica reprepsentatives to say
something leading to Howatt's comment of "In the end, Medica did find the
alleged perpetrators, and even though it is not completely certain about
what information was downloaded."

3. Based on the news article published by the Star Tribune, attrition.org
summarized the information and clearly gave Medica benefit of the doubt by
saying the records "may" have been compromised. Without digital forensic
evidence conclusively proving what occured, it will remain an unknown. A
year later, Medica may restate their opinion, try to alter the wording of
the facts or use legal threats to suppress this information, but it will
always remain a possibility that customer information was compromised.

: Every day that you leave that information on your website is a day in
: which you are publishing information that is simply not truthful.

We are re-publishing a news article that remains the same since it was
published.

:  First, you claim that the "only statement that attrition.org made
: regarding the Medica incident can be found on
: http://attrition.org/dataloss/ in which we summarize:  (System
: administrators may have had access to around 1.2 million member
: records).  Your assertion is simply not true.  When I wrote to you last
: week, there were two other locations which I identified in my letter
: that contained relevant material.  The first location was at
: http://attrition.org/dataloss/dldos.html.

Since you are trying to get technical and lay a virtual smack down on me,
please allow me to retort. The name 'Medica' appears on
/dataloss/index.html on the main list of dataloss incidents and in the
downloadable database located at /dataloss/dataloss.csv. The name 'Medica'
does not appear on /dataloss/dldos.html like you maintain. This is *fact*
and if you try to dispute this then I know this is a completely frivilous
venture and nothing more than a legal scare tactic. Please observe:

Checking all HTML files in the dataloss directory for "medica " (so it
doesn't find "medical"):

forced /home/web/dataloss$ grep -i "medica " *html
index.html:Medica Health Plans - [2005-06-29]

forced /home/web/dataloss$

To verify the name 'Medica' does not occur in dldos.html as you maintain:

forced /home/web/dataloss$ grep -i "medica " dldos.html
forced /home/web/dataloss$


To show the other occurance, in dataloss.csv:

forced /home/web/dataloss$ grep -i "medica " dataloss.csv
06/29/2005,Medica Health Plans,US,Med,Ins,Fraud - SE,MISC,?,Inside - Malicious,No,,
1200000,medica01.html,DL-0089,,
forced /home/web/dataloss$

You may argue until you are blue in the face or until you have drained
Medica of every last cent, but it will not change the *fact* that you are
wrong on this point and that the only time we make a commentary on the
incident is the main page (/dataloss/index.html):

forced /home/web/dataloss$ egrep -A1 -i "medica " index.html
Medica Health Plans - [2005-06-29]

(System administrators may have had access to around 1.2 million member records)
forced /home/web/dataloss$

Again, i'll point out that we are summarizing the article from the Star
Tribune, in which it appears to be written based on statements made by
Medica. This is not defamatory in any way.

: It noted (and continues to
: note) that your organization tracks data loss and data theft incidents
: and has identified over 136 million records compromised in over 300
: incidents across six years.  Your statement at
: http://attrition.org/dataloss must be read in that context and clearly
: (and inaccurately) conveys that Medica is one of the incidents
: referenced.

The phrase "data loss and data theft incidents" does not implicitly say
who obtained the records or if they were used for fraudulent activity. The
fact is, a breach occured at Medica in which the records *may* have been
accessed by two employees (since terminated) and that the lack of digital
forensic evidence makes it impossible to conclusively state what
information was taken.

We also list the breach at the Department of Veterans Affairs which was
later said "not to expose the information". The FBI went so far as to
release a statement that was 'understood' by others in a manner that has
nothing to do with reality or fact:

  http://www.internetnews.com/security/article.php/3617601

  [..]

  According to Nicholson, initial FBI forensics on the laptop appear to
  indicate that no one compromised the personal data, including veterans'
  names and Social Security numbers.

  Although the FBI has not completed its investigation, Nicholson said the
  government is "optimistic" the chances of identity theft have been
  minimized.

  [..]

The fact is, FBI forensics could not conclusively state what happened with
the laptop once it was out of VA custody. Digital forensics can not tell
you if someone removed the hard drive and performed a bit-by-bit copy of
it before replacing the drive in the laptop and turning it in. The FBI can
issue press statements all day long, but it does not change this "fact" "see above definitions).

Likewise, if evidence was destroyed in the Medica incident, they can not
conclusively state what information was or was not taken by the rogue
employees.

: The second location was at http://attrition.org/dataloss.csv.
: I specifically addressed your attention to item number 10 on the chart
: contained at that location because it specifically referenced Medica and
: its 1.2 million subscribers.  There was no qualifying language.  From my
: review or your site today, it appears as though you have chosen to
: remove that chart from your site.  I appreciate your willingness to do
: so.

We did not host a chart with an item "number 10" or "Medica". I am not
sure to which page you are referring but I have a feeling that you are
confusing us with another site. We have not removed any content from the
Dataloss page as of this mail.

: Please confirm that you have not placed that chart elsewhere in
: your website, or if you have, that it no longer includes Medica.

Without an exact citation URL I have no idea what chart you are referring
to.

:  Second, the qualifying language you point to (i.e., the word "may")
: does not change the fact that the information is false.

So it is your contention that the two employees never had access to those
records in any fashion? This directly contradicts the Star Tribune article
that appears to quote Medica officials on what occured.

At this point I must note that you are saying our page implies the loss of
1.2 million records by Medica if one were to read two HTML pages and one
CSV database, and then make such a conclusion. Despite that, you still
don't seem to understand or care that all of this is based on our
conclusion based on an article in a news publication.

: There is no evidence that the data was compromised for the 1.2 million
: members as a result of the conduct you reference.

There is no evidence that the data was not compromised for the 1.2 million
members as a result of the conduct the Star Tribune references.

   -- Evidence was destroyed --

Please, take this time to consult a computer forensics specialist on what
this means and the implications surrounding it.

: Therefore, to suggest that it remains a possibility that member data was
: compromised, is to falsely suggest something that is not true.
: Moreover, given your broader language at
: http://attrition.org/dataloss/dldos.html, readers (and other information
: providers) are left with the false impression that you have concluded
: that the data was in fact compromised.  Again, any such conclusion is
: simply not true.

It is still a possibility, and this is fact. The actions of those two
employees were not monitored, and in fact, could not be monitored at key
times during this incident. You and Medica are falsely suggesting that
they had no desire and ability to access that information when in fact,
they certainly could have.

: Even if you believed all of this was true at the time you wrote it, we
: have corrected that misimpression.

A biased legal threat from the law office retained by Medica does not
correct any impressions. When the Star Tribune releases a retraction, that
will possibly change my impression of what may have happened.

: Publishing statements which we have now informed you have no basis in
: fact based on your reading of a newspaper article does not provide you
: or your web site with any protection against a defamation suit.  This is
: especially true, where, as here, you are drawing wrong conclusions from
: the very article you quote.  If you read the article you quote
: carefully, you will see that it is all in the context of certain kinds
: of documents, none of which have anything to do with member data.

  [..]

  And even after Medica had identified the suspects, they erased the hard
  drives of their company laptops without interference, destroying
  critical evidence, according to court documents.

  [..]

  In the end, Medica did find the alleged perpetrators, and even though it
  is not completely certain about what information was downloaded, the
  evidence suggests that it did not include personal information about
  Medica members.

  [..]

There are two key points to this article:

1. Evidence was destroyed according to court documents.

2. The remaining evidence 'suggests' that it did not include personal
   information about Medica members.

"You keep using that word. I do not think it means what you think it
means." -- Inigo Montoya

Again, there is no *fact* that the member information was not compromised.
In fact, *if* the member information was compromised and downloaded to one
of those laptops, destroying that evidence would likely have been the
first thing the rogue employees would have done due to the severity of the
information and implications if they were caught. Bottom line, we are
dealing with a lot of speculation as to what happened during this
incident, and attrition.org has properly referenced this as a 'possible'
breach.

: The article even states that the evidence suggests that it did not
: involve member data.  You, however, choose to turn that into a
: conclusion either that it includes member data sufficient to count this
: incident as one of your 136 million records compromised.

The article states evidence was destroyed. What if that evidence was of
the records being compromised? Too many unknowns.

: Your legal discussion of defamation is amusing, but irrelevant.  I
: suggest you contact a lawyer who can appropriately advise you on the
: issues we have raised.  Any such lawyer will also tell you that "libel"
: is written false statements; "slander" is oral false statements; but
: both are defamation.

Are you mocking me? Re-read the e-mail I sent:

   DEFAMATION - An act of communication that causes someone to be shamed,
   ridiculed, held in contempt, lowered in the estimation of the
   community, or to lose employment status or earnings or otherwise suffer
   a damaged reputation. Such defamation is couched in 'defamatory
   language'. Libel and slander are defamation. -
   http://www.lectlaw.com/def/d021.htm

  Since the work in question is not spoken I will assume that you or your
  client is claiming that the article is "libelous." As best I know, and I
  am not a lawyer, there are a few keep points of libel / slander; it must
  be harmful, it must be untrue and it must be done with malicious intent.
  Please feel free to quote the exact wording of the law if one of these
  points is not true.

Again, let's examine the facts of the e-mail I sent:

1. I cite my source for the definition of defamation so that we make sure
   we're on the same page.

2. I clearly indicate that the work in question is written and therefore
   your client thinks it is 'libelous'.

3. I mention a few points of "libel / slander" because they both go to the
   definition of defamation, one being spoken, the other written.

At this point you could have quoted the law showing me where I was wrong
but instead, you decided to ignore what I wrote and mock me saying I need
to consult a lawyer. It is clear from our e-mails that you need to consult
a computer forensic specialist much more than I need to consult a lawyer.

: I suggest you contact a lawyer who can appropriately advise you on the
: issues we have raised.

Do you think they could also advise me on SLAPP suits?


:  Finally, you threaten to publish our letter, as well as your response
: even though it was sent to you in a manner suggested by you and solely
: in an attempt to see if we can amicably resolve this matter.  If you
: elect to publish the letters, please understand you do so without our
: consent and with knowledge that your response contains additional
: defamatory material (asserting that member data was compromised) which
: does nothing to resolve, but merely exacerbates, the current situation.

Nice try buddy. All of this pedantic dribble is essentially Medica saying
we defamed them. If I publish these letters it isn't "additional
defamatory material" because I stated my opinion about the content of our
web page, explained it, cited my source / reasoning and asked you to
refute any of it with fact. You could not do so.

:  The web is a powerful and important tool to provide information to
: people throughout the world.  It is important that we utilize this tool
: in a responsible fashion.  I trust we can move forward and amicably
: resolve this dispute.  Other information sources we have contacted
: appear to have appreciated our bringing the error to their attention and
: giving them an opportunity to correct the problem short of litigation.
: The same offer remains open to you.  I hope that you take a similar
: view.

Other information sources blindly removing content regardless of fact
doesn't make their actions right or Medica right. Because other web sites
will instantly cave in to legal threats means very little to me other than
the fact that I can't trust their data or numbers.

This is not our first trip to the legal threat rodeo, sir.

Jared E. Richo
attrition.org


p.s. As our system disclaimer says, all mails regarding this will be
published on our web site and distributed to parties we feel would be
interested in this matter, including security groups, journalists and
more.

From: security curmudgeon (jericho[at]attrition.org)
To: "Magarian, Edward" (Magarian.Edward@dorsey.com)
Cc: legal[at]attrition.org
Date: Thu, 8 Feb 2007 01:37:17 -0500 (EST)
Subject: Re: FW: Medica/attrition.org Letter


Hello Edward,

: I received your most recent e-mail.  We were prepared to resolve this
: matter after our exchange of letters because it appeared you had removed
: the chart listing my client on line 110, noting a loss related to
: 1,200,000 members due to fraud.  As you appeared to recognize in your
: e-mails to me, that chart does not contain any of the qualifying
: language upon which you rely, and we can find none.  Therefore, we
: appreciated your decision to remove the chart from your web site.

As I will show, my response to your previous email points out three
issues, neither of which you either clarified or appear to have
understood:

First, you originally wrote:

  : I specifically addressed your attention to item number 10 on the chart
  : contained at that location because it specifically referenced Medica
  : and its 1.2 million subscribers.  There was no qualifying language.
  : From my review or your site today, it appears as though you have
  : chosen to remove that chart from your site.  I appreciate your
  : willingness to do so.

To which I replied:

  : We did not host a chart with an item "number 10" or "Medica". I am not
  : sure to which page you are referring but I have a feeling that you are
  : confusing us with another site. We have not removed any content from
  : the Dataloss page as of this mail.

The "chart" you are referring to is the Data Loss Database - Open Source
(DLDOS), a comma delimited database. This file was *never* removed from
our site. Your claim that we removed it to comply with your threat and
then subsequently added it back to the site is false.

Second, you originally wrote:

  : Please confirm that you have not placed that chart elsewhere in
  : your website, or if you have, that it no longer includes Medica

You failed to give a citational URL for the "chart" originally and made us
go through some 40,000 pages of content trying to figure out how a "chart"
was supposedly added to our site that referenced your client, without our
permission. I can confirm that the database (not "chart") does not
appear elsewhere in our website.

Third, you originally wrote:

  : As you appeared to recognize in your e-mails to me, that chart does
  : not contain any of the qualifying language upon which you rely, and
  : we can find none.

You then followed up with:

  : Second, the qualifying language you point to (i.e., the word "may")
  : does not change the fact that the information is false.

You now say you can find no "qualifying language" on a "chart" that you
can't point me to, but then admit that there in fact is, by your own
admission, qualifying language (i.e., the word "may")?

That's a non-sequitor, Ed.  Look it up.

: Unfortunately, we have recently checked your site again and discovered
: that the information has been reposted. I hope that this was in error,
: and in that spirit, am writing you to request that you simply remove the
: one reference to my client on that chart. I look forward to your reply
: and confirmation.

Nothing was removed or reposted, because per my comment previously mailed
to you, which you apparently either ignored or neglected to fathom:

  : We have not removed any content from the Dataloss page as of this
  : mail.

It should also be noted that in your original email, you mentioned THREE
references to your client on either our "chart" or site. In your most
recent email, you now say "the one reference". Which is it, Ed? Three?
One? Chart? Site? Does your client even know you're spending this much
time on what amounts to a SLAPP suit? Think the StarTribune might be
interested? Speaking of, did you ever get them to retract the article that
is still available on their web site?

That said, here is where we are. In the spirit of good-will, and in the
spirit of being fair and accurate, we have added additional language
explaining our resources:

http://attrition.org/dataloss/dldos.html

  "This list includes incidents that may or may not have resulted in
  information exposure."

http://attrition.org/dataloss/dataloss.csv

  # Please read http://attrition.org/dataloss/dldos.html for details 
    about this database. ,,,,,,,,,,,,,,,,,,
  # This list includes incidents that may or may not have resulted in 
    information exposure.,,,,,,,,,,,,,,,,,,

And finally, to help educate consumers and companies that were impacted by
such incidents, we have written an article explaining that digital
forensics can not conclusively prove data was or was not accessed. If you
re-read my last mails to you this should be a familiar point I made. The
Star Tribune article that seemingly quotes someone from Medica indicates
that forensic evidence was destroyed. Given the unreliable evidence, the
period of access the former employees enjoyed and the uncertainty of the
events during that time, Medica simply can not truthfully and factually
state beyond reasonable doubt that the information was not accessed or
disclosed.

  http://attrition.org/dataloss/forensics.html

If the Star Tribune retracts, corrects or updates their article we will
reevaluate the information we have posted and consider removing or editing
as needed.


Jared E. Richo
attrition.org