Cybersecurity Startup Used Unauthorized Hospital Data To Sell Others On Its Services

Companies that provide back-end online services often use live demonstrations to woo new clients or entice investors, but they often either run a simulation using dummy information or have permission to use an existing client’s operations. That apparently wasn’t the case for one multibillion-dollar cybersecurity startup, who reportedly spent years showing off unauthorized peeks into the network of one of their healthcare clients.

This is according to the Wall Street Journal, which reports that cybersecurity firm Tanium, a firm that maps computer networks to detect vulnerabilities, not only demonstrated its services using live network data from a nonprofit hospital in California but also posted videos of the demonstration online.

To be clear, though it’s a startup, Tanium isn’t just a guy in a blue polo who promises to debug your home network for a few bucks. The firm is currently valued at around $3.5 billion and has been backed by some of the biggest venture capital names in Silicon Valley.

According to the journal, starting in around 2012, and continuing on for at least two more years, Tanium gave hundreds of presentations using network data from this hospital, which included highlighting vulnerabilities that had been discovered in the hospital’s system. That’s the kind of thing companies hire firms to find and then not tell anyone about.

The hospital confirmed to the Journal that it never authorized its network information to be shared with others and that the hospital “was not previously aware of these demonstrations or videos.”

“We are thoroughly investigating this matter and take our responsibility to maintain the integrity of our systems very seriously,” the hospital tells the Journal, clarifying that Tanium never had access to patient information.

Tanium, for its part, said the hospital had “provided us remote access,” but added, “we did not go far enough to ensure that particular customer’s operational information was sufficiently anonymized.”

Though the live demonstrations of the hospital’s network apparently stopped at some point in 2015, the Journal notes that videos of the demo — some posted by resellers of the Tanium service — had been publicly available on YouTube until earlier this week.

It’s been a bad month for the startup. Today’s report comes on the heels of a Bloomberg piece in which current and former Tanium employees alleged that the company’s top executives were keeping track of when various staffers were about to become eligible to receive stock in the company and then letting them go shortly before they vested. The company told Bloomberg it had investigated these types of allegations but found no patterns to back up such claims.