Three weeks earlier, one of Leah’s contract clients — a healthcare compliance firm — had brought her in to trace the source of a data exposure connected to NorthRiver Claims Solutions. She had spent six consecutive late nights in her apartment working through it: public-facing vulnerabilities in their patient portal infrastructure, archived employee authentication logs that had been improperly retained on an unsecured backup path, and internal process documents that had been indexed by a third-party vendor’s misconfigured API and made briefly discoverable through standard search queries before the error was caught and reported. She had signed a strict confidentiality agreement at the start of the engagement, as she always did, and there were significant things she could not discuss.

But there were facts she was entirely permitted to recognize when someone volunteered them publicly.