Benlog

security, privacy, transparency.
« Creative Commons and the Associated Press
EVT/WOTE 2009, Day 1, Morning »

HealthEngage leaking email addresses?

Filed under: medical,privacy — August 3, 2009 @ 11:50 am

For more than 10 years now, I’ve used custom email addresses when I log in to a web site I don’t fully trust, e.g. ben-SITENAME at adida.net. Until recently, the only time I’ve actually been able to trace emails to their source is when I saw how Democrats reused some of their mailing lists during the 2004 and 2008 campaigns.

This weekend, though, I received an unpleasant surprise. I got a spam email sent to ben-healthengage. HealthEngage is a health web site I tried out a few days months ago to explore how some companies are working on device connectivity. I’m 99% certain I haven’t used that email address anywhere else (why would I?) So, is HealthEngage leaking email addresses in some way, either because they’re selling them or because they’re not protecting them very well and spam crawlers are picking them up somewhere?

Either way, it’s a little bit disconcerting: this is a health-data web site, and its members surely worry about their privacy.

  • http://josephhall.org/nqb2/ joe

    So, does this mean I can guess ben-somesite@adida.net , send some spammy email to it and force a write-up like this? :) I’m kidding, of course. It would be neat to see if anyone tries other ben-foo@adida.net addresses. I guess using a random identifier in the email address would require a look-up table and such…

  • http://josephhall.org/nqb2/ joe

    So, does this mean I can guess ben-somesite@adida.net , send some spammy email to it and force a write-up like this? :) I’m kidding, of course. It would be neat to see if anyone tries other ben-foo@adida.net addresses. I guess using a random identifier in the email address would require a look-up table and such…

  • http://www.healthengage.com David Williams

    Ben,

    Rest assured that at no time will your or any other HealthEngage user e-mail address ever be sold or shared with anyone. We use every available measure to maintain security for the system and we will investigate this incident and see what the cause might have been. We have not received other messages from users, though we have many users who use a special e-mail address just for HealthEngage like you did, so if you could please e-mail me with all of the details of what happened, copy of the message, OS, mail client, etc. to help us with our investigation it would be greatly appreciated. We take security and privacy very seriously and want to do everything possible to reassure any concerns our users might have. Please feel free to e-mail me with any other questions or concerns.

    Sincerely,

    David

    David Williams
    Director of Privacy
    HealthEngage

  • http://www.healthengage.com David Williams

    Ben,

    Rest assured that at no time will your or any other HealthEngage user e-mail address ever be sold or shared with anyone. We use every available measure to maintain security for the system and we will investigate this incident and see what the cause might have been. We have not received other messages from users, though we have many users who use a special e-mail address just for HealthEngage like you did, so if you could please e-mail me with all of the details of what happened, copy of the message, OS, mail client, etc. to help us with our investigation it would be greatly appreciated. We take security and privacy very seriously and want to do everything possible to reassure any concerns our users might have. Please feel free to e-mail me with any other questions or concerns.

    Sincerely,

    David

    David Williams
    Director of Privacy
    HealthEngage

blog comments powered by Disqus