Facebook May Have Collected Client Call and Text Message Records from Android Phones

– Hey everybody, I’m here with Eric Strom. He is a attorney and mental health counselor in the Seattle, Washington area. We’re talking about the Facebook Messenger fiasco around Android phones, which is lots of fun. So, we’ve already started talking a little bit about it, and I decided to start recording, because honestly, I think our conversation is something I wanna share with everybody, because Eric has got always really useful, important insights on this. So, we’ve already described in the article what happened. So let’s sorta go from there and just be like, let me just show everybody the screenshot from the Ars Technica article, in which we see here, this is somebody downloading the data Facebook has about them, and they can see that Facebook knows this information, this call log information from their Android phone. This is Android phones. Just wanna remind all the iPhone users that this was not possible on iPhones. This didn’t happen there; it’s just Androids, and not every Android phone user who runs Facebook Messenger actually necessarily had all this happen. You’ll wanna go download your data and find out if any of this happened to you. But for this person here, who kinda broke the story, I believe, this is, I think, an Australian gentleman who did this, this is information in which, where they had the information about all the calls made with someone named Sean Gallagher, and up here, blacked out for Sean Gallagher’s privacy, is his phone number, and so, you know, as we were just talking before we started recording here, Eric and I noted that the phone number is what makes the information identifying. And with identifying information, that makes this protected health information, if Sean Gallagher was my client, and this was my calls with Sean Gallagher.

– Yeah, exactly, Roy, so I’m thinking, imagine that this is your, as a clinician, this is your call log, and Sean Gallagher is your client.

– Right.

– And what’s been made public is both the phone number and the client name, so just the fact of the clinician/client relationship, that is a confidentiality. So we have two pieces of identifiable information. The other piece that I think is kind of important to highlight here is what I see many clinicians do, is, on that phone, instead of putting the client’s name in the address book, they would put SG, right? And feeling like, hey, they can’t be identified, so you don’t have to worry about it.

– Well, it reduces the risks of identification quite a lot.

– It does, absolutely. It reduces risk, but does not necessarily de-identify. Even those initials, SG, that is individually identifiable, especially when it’s together with the phone number.

– Yeah, together with the phone number, it’s slam-dunk identifying. Yeah, right, yeah. So I mean someone might say like, okay, so, we also were talking about comparing this to when somebody has been using an email address for a long time, and they don’t have a HIPAA business associate agreement with their email. Like, often a free Gmail account, we see a million of those, the thing we do at Person Centered Tech all the time is advise people, hey, you really need to switch to, you know, a paid account, where you can get your business associate agreement or to another provider where you get that business associate agreement, and they ask, like, what should I do about the fact that I’ve been exchanging emails with clients with this non-compliant situation with my old email, free email for all this time? And we say, well, you know what? Just, everything’s from here on. Just take it from here on. And, so, somebody may say, well, how, okay, so if Facebook has a bunch of logs of my calls with certain clients, and by the way, if you go look at your data, I think you won’t find that they have all of them. They’ll have certain ones. They kind of selected based on if it seems to be important or not, right? So certain clients, like, if you have a client who calls you a lot, that’s probably likely to appear in there.

– They’re important.

– Right. Are they important or not, I don’t know, but like, when you see that, they’d be like, why is that different with Facebook than the fact that I had all those emails exchanged before I switched to an appropriate HIPAA-friendly email server? Like, why is this one different? What do you think?

– Well, you know, when it comes to email, there’s just sort of an expectation and understanding of how that works, right? So we can talk a little bit about what we do once there’s a breach, but before we get there, it, you know, it’s understandable from the client’s perspective that with email, there’s this back and forth, and they’re already managing how much information they’re sending via email.

– Right. They may not be doing it well, but at least they know.

– Right, right. Or at least they ought to know, and I think from the clinician point of view, we already have in our mind that we need to inform clients about how to appropriately use email.

– Right.

– And they’re kind of a back and forth and a, you know, collaboration there. In this situation, there, the clients were not on notice at all that this might happen. There’s no reason that the clients ever would have considered taking steps to minimize or protect their information, ’cause they had no idea. I think that’s the big difference.

– Right, clients didn’t decide not to call me because Facebook might know I called my therapist.

– Right.

– But they might know not to email me for whatever reason or decide not to email me. Even if you didn’t explicitly inform me of that, I might have an awareness, although certainly we want that. But, yeah, in this case, no idea about it, right? And that seems to be the problem.

– Exactly, exactly.

– So, I do wanna say this, ’cause we wanna do like, you know, the rapport with people we’re talking about, right, and make sure they’ll understand like, we get it, that one of the challenges here is that at Person Centered Tech, at least, we’re always telling people, you know, smart phones can be secured. iPhones, Android phones can be secured, and we’re always telling them, watch your settings, you know, watch what you’re doing, but what sucks is here, this is the real reason why this is such a painful experience, is that Facebook was misleading. A lot of the people who report having had this information sent to Facebook say they didn’t opt in. And we’re not just talking about people who aren’t paying attention. Like, you know, programmers, developers, privacy experts, they’re saying they found this information in their Facebook datasets when they went and downloaded it, and they don’t recall ever opting into anything like this. And, you know, the history shows that there was a point in which Facebook’s message for opt-in was misleading.

– Well, and Roy, I think that actually is kind of a good segue into talking about HIPAA breach, right. Under the breach reporting rule under the HIPAA regulations, certain things happen once we realize that there’s been a breach of PHI or protected health information. The really important place to start, though, with breach is it sounds like you’ve screwed up or you’ve committed misconduct.

– Right.

– And that’s not what it means. Breach actually just means information was accessed, used, or disclosed outside of the protections of HIPAA, whether that was your fault or not.

– Right, right.

– It’s not, HIPAA is not about designating who’s at fault or punishments or violation. HIPAA is about encouraging and supporting protection. So the first thing is, you can have a breach that was not due to your own fault, your misconduct, or any kind of, you know, fault of any type.

– Yep.

– So, when I say breach, I just wanna make sure that we’re not saying.

– Yeah, right, that you screwed up. Right.

– But the breach, the breach rule under HIPAA requires a couple things. The first thing it requires is notice to the impacted owners of the information or clients. And this makes perfect sense, because the first thing that needs to happen is the client needs to know, here’s a potential disclosure or use of your information that you might wanna protect.

– Right.

– The second piece of that is then the clinician, the person whose information, who was holding the information that was breached has an obligation to mitigate any potential damages.

– Right.

– So step one, make sure that this doesn’t happen again, right?

– Right.

– Step two is really working with the client to identify what this means that their information was breached and what they can do to best protect their own privacy and confidentiality.

– Right. And so, yeah, so let’s talk about what those are. I mean, let’s give people some solutions, right, ’cause like, you know, making sure it doesn’t happen again, at this point, I’m kind of advising Android users, remember, this is Android phones, Android devices, generally phones, I’m saying, get the Facebook app off the phone. It’s actually very possible that right now that’s not necessary. You know, they’ve, Android has changed, changed actually a while ago, not in response to this, but they had already changed the way permissions work. And so if you started using Facebook Messenger or Facebook Lite after that time, apparently, you would not be prone to this, ’cause it would have to be more explicit about asking for this permission. And it’s likely that you’ve been impacted like this if you were using it before that point and allowing it to do that before that point. So it might be that right now, updating all this and, you know, telling Facebook no, don’t take this data, go download your data. You can actually request that they remove all of this from your dataset on Facebook. You can do all that. I would do all that. But you know, at this point, we’re kind of learning Facebook is not as trustworthy as we thought when it comes to settings and permissions. So, like, I can tell people on an iPhone, you’re not depending on Facebook to be trustworthy. The iPhone actually won’t let apps access that info unless you tell your phone, yes, let that app access my info, whereas with the Android, you are trusting Facebook’s app to behave properly, and it did not. It misbehaved. And that’s where we’re going, that’s why we say this is not really your fault. You know, no one expected that.

– Right.

– And certainly, and certainly that just indicates a lack of trust or trustworthiness on the part of Facebook when it comes to being able to use their software in the same place you have client information.

– That’s right.

– Yeah.

– You know, this might also be another reason to use literally two separate devices, one professional device and one personal device. The professional device doesn’t have Facebook, right? It doesn’t run all those apps. The personal device does my personal stuff. It doesn’t have any PHI on there.

– And there’s actually a couple ways to do that, Eric. I realize, you know, I have that literally, right. This flip phone is the voice calling phone, right? The voicemail and voice calling, right? I have an iPhone, so I wasn’t prone to this particular thing anyways, but let’s say there was an iPhone version that was prone, although iPhones are much better at stopping this kind of thing than Android phones. This kind of thing, not all the things, but this kind of thing, iPhones are much better at that. But I would not have been prone, because all my calls are on this. Now, people can say, but Roy, if that thing gets stolen, can’t people look at your call log on your phone? I say, yep, that’s my problem, so my physical security of this is my big deal, right? So, on here, and then my secure texting app, the thing is, I have apps on here that are for use for clients, but they’re not like, they don’t tie into the core thing. Like, Facebook isn’t gonna be looking at my Signal texting log, because it can’t, for one, on iOS, but also, it’s not what Facebook’s trying to do, right, they’re trying to look at the core texting log. So the thing is with the Android phones, like, it can be a separate device, or like in the case of like when someone has a HIPAA-friendly soft phone app where you have like a software phone on your phone, so like a, give concrete examples, like 8×8 is an internet phone service we occasionally recommend, ’cause they do business associate agreements, and you get an app on your phone that gives you the second phone line through an app, right? And so that app’s call log is separate from your main call log. So the Facebook Messenger would not have been looking at that.

– That’s right, and, because they’ve signed a HIPAA business associates agreement, the developer of that app is assuring you that they are taking steps to be HIPAA compliant, and they have an interest in making sure that it is secure as well.

– Sure, right. Now, of course it doesn’t mean they wouldn’t do something like put their call log data into your main call log where Facebook could find it, because that’s your responsibility. But they generally don’t. But these HIPAA-friendly soft phone apps, I think that would be similar to having a second device like you’re talking about, yeah.

– Yeah, I agree.

– Right. So, yeah, so these are solutions for preventing from the future. Now, tell me about notifying clients.

– So, a part of it is to empower clients to be able to protect themselves once there’s been a breach, and the other part is to help the clinician be informed as to, you know, what the breach means and what mitigation needs to be taken from the clinician’s side. My guess is, with a breach like this, and assuming that it’s a breach, with a breach like this, most clients are gonna say, okay. So, Facebook knew that I called you. Why is that a problem?

– Facebook knew everything about me anyways.

– Yeah. I post everything about my life to Facebook anyhow, right? You know, and in most situations, it’s just having that conversation with clients to say, potentially, I don’t see any significant impact to you, but let’s talk about what that might be. And for most clients, it’s probably not a big deal. But I can imagine a situation where let’s say hypothetically just the fact of being connected with a therapist could be a big problem. There are situations where a client really needs that, that confidentiality, just as far as even, you know, relating to receiving therapy services. And then it would be a bigger deal, in an individual case. And that’s what that notice and conversation really needs to be about.

– Right, makes sense. Yeah, and I agree. I’m sure most clients are gonna probably just start a little conversation about how much Facebook sucks, right? Like, all the Cambridge Analytica thing and how the privacy problems of the modern world. That’s probably how most of it will go. I know there’s probably some thief out there who has my Social Security number like three times over because my insurance company lost it, then another company lost it, then another company lost it, which is really bad, but at this point, I’m like, I just gotta accept it. But, you know, many clients will do that. But, you know, I think an important thing to tell clients is how you’re taking care of it or just saying, like, I requested to have that information removed from my dataset, so once that’s, assuming they do that properly, it will no longer be available to them. I’m making sure my phone isn’t like this, and I want you to know that I, I did take a lot of precautions for my phone, and unfortunately, this is a thing no one saw coming.

– Right.

– And that’s like, and I apologize, you know. That’s kind of the best you can do, and in some ways, for most people, it’ll probably be good enough.

– Mmhmm. And this might be the opportunity to, you know, look at other processes too, right? This is the time to say, oh, and by the way, I’ve just upgraded to Hushmail, say.

– Right.

– Which is a high secure platform for email, just to better protect you.

– Right. Yeah, or I’m oh, let’s, you know, if we’re, ’cause we also got texting logs, right? So maybe they’ve been doing SMS texting. Maybe that’s the big thing that Facebook has. Well, maybe this is a good time to realize that no matter how much my client wants to request those non-secure communications, which they have a right to, maybe we shouldn’t do that. Let’s use Signal or let’s use Spruce Health or whatever kind of secure texting app you wanna use.

– Absolutely.

– Right. Okay, so how do we notify clients? I mean, should we give ’em a written letter? That’s the formal way. Our risk experience at Person Centered Tech, we have this letter that people can give people for breaching.

– That’s a really interesting question, and the bottom line is, the HIPAA rules don’t tell us. It just says notified.

– They don’t. That’s right.

– So, you know, there may be some state law that is, that is on point. I’m not aware of any, but that doesn’t mean that, your state, not your state, Roy, but your state, it is possible that there’s some kind of notice requirements that oughta be worth looking into. But, you know, just like so much of HIPAA, it’s all about what, what is actually functionally appropriate, right?

– Right, I agree.

– What works to best protect. In some cases, a letter might be appropriate. In this case, I don’t know that a letter is appropriate. So look at it this way. Let’s look at the population of clients that we’re most thinking this might be harmful to: the client that security and privacy and confidentiality around the relationship. Sending a letter to their address in the mail, I mean, that doesn’t necessarily sound so reasonable if that’s the client population you’re looking at.

– That’s a really good point, Eric. That’s right. Sorry we breached the knowledge that there’s a relationship. Here, let me send a letter to your home.

– That comes to your house and may be opened by the people you didn’t wanna about your relationship.

– That would not be the best.

– Yeah. So, again, it’s all about a case-by-case basis of what is, what is the most protective and most appropriate? My thought is, with active clients, it’s probably most appropriate to have the conversation with them during the next meeting.

– Yeah, that makes sense. And document it.

– That’s right, and document it.

– Gotta make sure to say that.

– You know, unless there’s some reason to think that time is of the essence, and the client needs to know immediately. This doesn’t feel like one of those things in general, but again, case-by-case basis, it might be.

– Yeah. Well, I mean, it’s one of those things of like, upon discovery, I mean, for most people, technically discovery is gonna start as soon, like, you could say discovery starts once I see this video, because this is a notice that they may need, they may have a breach they need to investigate.

– Right.

– The thing is, I think it’s important to know at this point, remember, all of you can go download your dataset and see if anything did happen, and you know exactly who it happened to. That’s a really nice thing about this breach. You don’t have to notify everyone, just whoever is in that, whoever you find in there. That’s who you gotta notify. But the, oh, yeah, yeah, yeah, so I think when that’s the case, like, for active clients, I think talking to them and documenting it. But then it’s those, so how about for past clients? Can we use alternative notice and call them?

– Absolutely. I think for past clients, what I generally recommend is provide that notice in the way that you normally would communicate, right? So, whether that’s email or via letter, whatever is the normal way that you would communicate with clients. And being really mindful of, again, just the security of that mode of communication as well.

– Right, makes sense, right. Yeah, and I, yeah. This seems like a situation where the notification needs to itself be very confidentially done, just because of the nature of, you know, ’cause yeah. Okay, great. So, and then.

– And then I was gonna say also, not overly alarming, right? Partly I think this breach probably, honestly, really probably is not a problem for most clients, and we want to avoid making it sound like it’s more than it is so that clients are unnecessarily concerned about the breach of their confidentiality.

– Right. Yeah, I’m trying to think of like, how I would say it, like, you know, maybe some suggested language for people. I mean, certainly the language is, the formal language we often use can be kind of alarming, right?

– Yeah. And I would say maybe something like, it’s just been brought to my attention that some, some information about the time and date of calls you made to me may have been disclosed to an app. I don’t have any reason to suspect that the, that there’s any further impact to you than just that, but we may need to talk about it to identify if there is anything to be concerned about and so I can let you know what I’m doing to make sure that this information is not breached again in the future.

– Right. And you say, yeah, make sure it’s clear that you’re doing it, like, and I’m doing those things right now, right, exactly. Yeah, I think that’s good language right there, and I think that’s enough. Once again, most clients will be fine, and they can talk to you more about it if they need to. So, the other step, of course, in breach notification is knowing who to notify. As I said earlier, luckily, that’s easy in this case. Their phone number or however you identify them in your contact book will be right there if you do need to notify. And then, okay, so shall we go to the bigger question, like, the really annoying question, right, about HIPAA breach notification, which is, okay, so you notified the clients, but if you have a breach, theoretically, now, I’m gonna guess that no one has a breach here of more than 500 people’s stuff, right? So it’s gonna be small breaches everywhere, right? So like.

– And really, just to let everyone know, why does 500 matter?

– Okay, so, because if, in a single incident, so I think we would call this a single incident ’cause we’re discovering it all at once, if more than 500 individuals are impacted, so in this case, more than 500 clients generally is what that would be, I guess if you have clients, right, then you need to, you need to do what’s called large breach response, like, which means you have to tell the feds immediately.

– Right.

– You have to tell, and you generally need to tell local media. You need to do some kind of media notification so people know about it.

– That’s you’re right. The big difference is, if it’s 500 individuals impacted by the breach or more, then that report has to be made to the US Department of Health and Human Services immediately, and there has to be either individual notice to all 500 or notice by publication, right? So it’s a bigger response. If it’s fewer than 500 impacted clients, then you only have to report annually, meaning you have a whole year to figure out what you need to do.

– And right now, the deadline’s like the end of March of the following year, so actually right now, ’cause it’s April, yeah, you’d have like a whole year to tell the feds, which is actually very handy here, because I think there’s a really good question of, I don’t think there’s much question that you should tell your clients, whether it’s just by bringing it up in session or by something more formal. Whatever you do, you should let them know what happened.

– Obviously.

– And document that. But there’s a big question of whether or not you really need to do the report to Health and Human Services. I’m not convinced that that’s a slam dunk, given the nature of this breach.

– I’m not either, and to be honest with you, the requirement is for any breached PHI, a report needs to be made to the US Department of Health and Human Services. There’s an online form, super easy to fill out.

– Yeah.

– It just, and if you just Google breach report US Department of Health and Human Services, it’ll take you right to the form. It says information was disclosed. Importantly, it also says, what is your mitigation plan.

– Right.

– And what are you doing to avoid this in the future.

– Right.

– So think about that before you make the report. The reason that I’m not 100% sure is on a case-by-case basis, I’m not completely convinced for every clinician that this meets the definition of a breach. I just don’t know for sure.

– Right.

– The impact of making that report is potentially putting the Department of Health and Human Services on notice that they ought to audit you and your procedures and policies and what happened. Now, keep in mind, again, breach doesn’t mean misconduct.

– Small, yeah, yeah.

– Yeah. It’s a theoretical, theoretical possibility, not a very practical one. But it’s possible. I mean, you are in essence saying to the regulators, here’s what happened and where some information was disclosed. That’s what. So you really wanna make sure that you need to be telling ’em that and be sure that you do know how to respond if they ask additional questions.

– Mmhmm.

– So, those are the things that I, you know, that I would think about. Given that you have time, since it’s probably not a 500 person or more breach, what I would recommend is before making the notice, I would say it’s probably a really good idea to consult with an attorney, just to know, what are the, what are the potential requirements, and what are the costs and risks of whatever course of action you decide on.

– Right. I agree. Yeah, and there’s definitely a point where you gotta say, consult with an attorney, and consult with an attorney in your state, especially ’cause there’s also the possibility your, all states, all but three states have breach notification rules of their own, but they tend to be pretty matched up with HIPAA. I don’t mean they’re the same as HIPAA, but like, generally, if you’re doing what HIPAA says, you’re usually gonna be good with your state. ‘Cause you usually need to also tell someone at your state about a breach. But they’re usually just as uninterested in niggling details as Health and Human Services. Okay, I’m not the attorney, so I’m gonna go ahead and say this stuff, Eric. You can let me do it. But as the one who’s not got that, like, the weight of the JD, right, I can say that historically, Health and Human Services has been like, whoa, guys, we don’t wanna hear about every little thing. And that, actually after the HITECH Act, everyone was reporting every tiny thing that occurred, and that’s why they released their four-point assessment for whether or not you tell them or whether or not you notify at all, including technically, whether you notify clients, although the kind of, the best practice and the thing attorneys always tell you, which is why Eric is telling you this, is if you think something might be happening, let clients know. You know, we don’t necessarily say to notify in a formal sense, but like, let ’em know. Make sure they do know that something’s up. That’s always just an ethical or good thing to do. And that’s why Eric’s saying to do that, not because it’s, oh, you’ve done a violation and you’re bad and you gotta tell your clients. It’s just, it’s good to tell clients. But then like, you know, really, the whole like, the formal thing is do you tell the feds, and the feds are pretty clear that they don’t wanna hear about every little thing, and that’s why they gave the four-point assessment, and that’s what the difference between small and large breach is. They’re different forms you fill out, and they have different things in them. And so this is why I, you know, called Eric and said, hey, I want your opinion on, do people need to tell the feds, ’cause I’m not sure they do. But, of course, you know, the usual response is, it depends.

– Yeah, that’s a good attorney’s answer. Well, it depends, and the second thing is, what do you wanna do?

– Right, right, right, exactly. Yeah, and so like, I don’t, I mean, I think I, unfortunately for a lot of people, it made me feel anxious about this to have to leave it kind of vague about whether or not you do tell the feds, but the good news is, like Eric says, you have like, until the end of March 2019 at this point to decide. Time is of the essence in terms of determining who may have been breached. So if you go get your data from Facebook, the instructions are in something associated with this video, all right. I’m gonna make sure you know where you can do that. It’s actually pretty easy to do. And then determine, remember, if you don’t use an Android phone, never use an Android phone, you’re not at risk. So this is just of academic interest to you. If you use an Android phone to talk to clients or text with clients, there’s a chance, and you have the Facebook app on that phone, there’s a chance they may have some data. Go download it, check it out, and then make a decision from there about what you wanna do next.

– Yeah. And just one like thing that I feel like I have to point out is, even though you have the ability to wait to report to the feds, the necessity of informing clients is right away.

– Right, that, yes.

– As soon as possible, you really do need to do that right away in either case.

– Yeah, that’s right. Yeah, time is of the essence there, to use that term, yeah. And that’s, you know, and that’s, just so people know, ’cause sometimes people don’t quite know what that means, right. It doesn’t mean go call them right this instant. It means, you know, make a reasonable effort to not delay. Don’t delay it, right. All right. Okay, cool. Well, thanks so much, Eric. You definitely made me feel better. I feel like I’m not trying to figure out a solution for everybody on my own here. This is why consult, consult, right, as we always say in our business. So, if anyone ever wants to consult with you, Eric, what can they consult with you on, and how do they find you?

– So, if they are in the state of Washington, then I’m happy to consult on legal issues. Outside of the state of Washington, I can also consult regarding ethical issues and, you know, ethical analysis. To contact me, the best way is through email, and it’s [email protected], so [email protected].

– Great, and we’ll put a little thing at the bottom of your screen there so people can see that. Thanks so much, Eric. Really appreciate it, man.

– You bet, Roy.

– All right.