AliceBastable, as I've been reading the recent posts on this thread, I came to the same conclusion as you. BCO should just stop this, now. The situation is getting worse, not better.

I can't imagine how frustrating this must be to newbies who really need help and advice and support now, and instead find all their diagnosis information to be screwed up and find few if any people responding to their posts. As we all know, it's extremely stressful going through the diagnostic process and being newly diagnosed; it is irresponsible of BCO to have a discussion board that patients come to expecting support, only to find that being on the site increases their stress and frustration.

Perhaps the best option is to close all but the 'social' threads and the Stage IV forums and to use these forums to gauge how the site is doing. Once everything is running smoothly in these forums (if that ever happens), the rest of the site can be reopened.

The best made plans of men and mice go down the sewer.Why would BCO be honest and share?

Does anyone know what city BCO is in? And is anyone from that city? Had a thought that if someone could contact the local news, ask them to check into BCO failure and donation request. Then, if that happens, put it on air. Maybe the national media would pick it up.

Bet this site would be fixed in a rad zaps time.

🤬🤬🤬

I just learned why they disabled images. A data safety org found BCO had our images exposed (possibly for years), but they didn’t respond to notifications for over 5 months!

Here’s the text. The safety org recommends filing a consumer complaint to the Pennsylvania Attorney General.

————

Breast Cancer Support Organization Leaks Data Despite Multiple Notifications?

• May 3, 2022
• Dissent

Update: After posting this, tweeting this story, and getting retweets on it, it appears that as of late yesterday, the bucket was finally secured. Thanks to SafeyDetectives who kept re-checking the bucket and to everyone who tried to call attention to this to get the data locked down. DataBreaches did not get any acknowledgement or response from BreastCancer.org — at least not yet. DataBreaches has not changed its opinion that an investigation is needed to determine for how long these data were exposed, whether they were accessed and downloaded, and why BreastCancer.org failed to respond to multiple notifications over a period of five months.

SafetyDetectives recently reported that Breastcancer.org has been exposing sensitive information in a misconfigured AWS bucket. According to their report, exposed data included more than 50,000 registered user avatars and more than 300,000 post images with EXIF data.

Some post images featured sensitive content that felt as though it was intended for private viewing. For example, there were results from medical tests and images of nudity (most likely taken for medical purposes) included among the files — contents that a user would not typically post publicly.

The data may have been exposed for years.

Read more on SafetyDetectives.

One point that wasn't clear from SafetyDetectives' report was whether the bucket had been secured. SafetyDetective started reaching out to BreastCancer.org in November of 2021. They describe their multiple efforts but no outcome was reported. DataBreaches reached out to SafetyDetectives and received the following reply:

… unfortunately the bucket is still unsecured, we tried reaching the organization several times to different email addresses (including their privacy email, CEO, and basically all the people on their about page), we even reached out via social media (we tried reaching them publishing a post, because they don't accept private messages), but they haven't reply back. We reached out to the US CERT but they didn't reply and AWS did reply, but the thing is that they cannot actually secure the bucket, but to tell the owner that they need to secure it.
We published our report hoping that they would reach out to us to secure it but they haven't gotten back to us yet.

So more than 5 months after responsible disclosure attempts began, the bucket was still unsecured. DataBreaches reached out to BreastCancer.org through their website contact form, and like SafetyDetectives, got no reply.

DataBreaches left them a second message on their site telling them that we would be reporting in 48 hours and to lock down their data. There was no reply and the bucket was not secured.

At 8:00 am this morning, DataBreaches left a voicemail on their office phone. It reiterated that people had been notifying them for months but they had failed to lock down their Amazon storage bucket and that DataBreaches would be reporting on it this afternoon.

Still nothing, it seems.

The organization's privacy policy page contains this statement:

How We Protect Your Information

We use reasonable and appropriate administrative, technical, and physical safeguards to protect the information that we have about you from loss, theft, and unauthorized use, access, modification, or destruction. We also require third-party service providers acting on our behalf or with whom we share your information to maintain security measures in accordance with industry standards.
Although we have security safeguards in place, we cannot guarantee absolute security in all situations. If you have any questions about our security practices, please contact us as described in the "Contact Us" section. For your own security, please do not send any confidential personal information to us outside of our Services. It is also important that you maintain the security and control of your account credentials, and not share your password with anyone.

Except that they don't respond to contacts.

Pennsylvania regulators need to look into both the lack of security and BreastCancer.org's failure to respond to repeated notifications that they were exposing personal and sensitive information.

If you wish to contact the Pennsylvania Attorney General's Office to file a consumer complaint, you can find information and an online complaint form linked from here.

If anyone has a contact at BreastCancer.org or has influence with them, perhaps you could reach out, contact them, and tell them to lock down all that sensitive information already!

And if you ever used their site and shared personal and/or sensitive data, perhaps you should contact them and demand that they secure your data.

Everyone,

I encourage you to try to delete your diagnosis and treatment details.

I use the Signature to display my info. It’s harder to use for them because it’s a free form text field. Add emojis because they make it even harder to parse.

We've been Dr. Ozed

I still believe their intention was to do away with the forum and focus on the data sharing and be seen as a health provider. Forums don't bring in much $$$ and are a nuisance. This one will never bring in cash now so they gave up.

If anyone wants to set up a proboards I will help with it. I don't trust my brain with set up. You can PM me if their is a simple way to start.

I’ve asked the writer who did the glowing article about the redesign to follow up on the data breach.

https://twitter.com/serenity_soon/status/1523703862724481024?s=21&t=x7lnNFqpfZO2bVraC9KOGQ

FIVE MONTHS OF NO RESPONSE IS NOT IMMEDIATE ACTION!

AANSWER THEIR QUESTIONS!

Mods,

Are you in touch with anyone in this Twitter thread to help lock in our data?

https://twitter.com/trevorgiffen/status/1522243930565324804?s=21&t=PgF9UwXbXVAmc7W1agOmuA

“For healthcare and similarly sensitive entities, next time reach out to @CuratedIntel before publishing a blog, and we'll take care of it. Cheers! “

If not, you should be. I see some people are able to post images. If that’s not intentional, then we still have serious issues.

Why did no one from BCO respond when notified of the data breach? They tried to contact you for over 5 months. Multiple times.

Why?

Your tech team does not appear to have the expertise required to lock in our data.

Accept the help from the experts.

Mods,

If you can’t admit that you failed to respond to their data breach notifications, then I will fill out a complaint form. I’m in Canada, so I don’t know if it will make a difference. But most of us are in the US.

I wonder if the same level of gaslighting would occur if the topic was brought to their Facebook, Instagram and Twitter sites

I don’t have FB, but the mods did respond here when I posted a link that I asked on Twitter for Fast Company to follow up on the data breach.