Posts Tagged ‘Suitcase Clinic’

The Suitcase Clinic

August 31, 2011 Leave a comment

The Suitcase Clinic are a “humanitarian student organization and volunteer community offering free health and social services to under-served populations since 1989” (their words, not mine), based in San Francisco on the West Coast of the USA. They operate under the domain ‘’.

Most of the time.

I own a domain that is very similar to theirs. I registered this domain in 1996 for my own personal use, with no intention of ever using it for passing myself off as any other organisation. Unfortunately, every so often I get emails destined for The Suitcase Clinic, often from staff members themselves forgetting what their own domain name is. I have notified these individuals each time, but the message has not sunk in.

A week ago, following on from another incident, I notified their Advisory Board (who I would imagine being in a more senior position) that this was an ongoing issue, and said that if I heard nothing from them within 24 hours I would speak out. Needless to say, I have heard nothing and as a result am going public.

Looking back through my mailbox, back in June 2010 (not the first, but my history stops there) I received an email from the Suitcase Clinic themselves,

Hey Everyone!

Here are the applications for the 2010 Summer Training so far. We should be receiving more applications because the deadline has been extended to midnight.The applications are numbered to match the google doc. Have fun reading!

– The CCs

“The applications” were around 40 CVs of individuals who applied for internships at the Suitcase Clinic. This is personal data, all shipped nicely outside of the United States and therefore potentially breaching Safe Harbor laws. Needless to say, I notified all individuals immediately.

I did receive an apology:

Thank you for your notification. We were unaware that there was an active address after we realized we made the mistake yesterday. If its possible please delete those files. We will update everyone to make sure that they correctly input outgoing email addresses.
I want to apologize again on behalf of our organization for spamming your email. Once again thank you very much for taking time to let us know and have a great day!

A month later …

Hey Clinic Coords!

Summer trainees will begin shadowing at your clinics throughout the next three weeks. The class coordinators are requiring the trainees to shadow experienced caseworkers at least two times throughout the upcoming 3 weeks. In addition to the shadowing requirement, trainees are required to attend at least 1 S.H.A.R.E. discussion. In the spreadsheet (included at the bottom of this email as a link) you will notice that there is a list of all of our summer trainees in alphabetical order. In addition to their names, we have included the dates for clinic for the next three weeks. If a trainee attends clinic, it would be best for the class coords if clinic coords can indicate that a trainee attended their clinic (and stayed through debriefing) by placing an “x” into the column. At the bottom of the list, we have color coded each clinic, so in addition to indicating that the trainee attended clinic, please color code which clinic the trainee attended. If you would rather hand in a hard copy of your attendance sheet to the class coords, then you are more than welcome to do so, but please give it to us promptly. If you find that trainees are inadequately prepared or that something else could have been improved, then we would love your feedback to help us improve summer training. Thank you for your time and cooperation. We hope you like our summer trainees as much as we do.

My complaint about this was ignored.

Late September 2010, someone – I suspect a client – emails me with a rambling email appearing to describe incidents of racial discrimination. I notify Suitcase Clinic, and get the following (which I don’t believe was intended for my viewing):

Who gets forwarded emails from the Advisory@[redacted]?? (no one right?)
Just concerned that he’s forwarding someone unknown all these emails… haha.

Hilarious. I think I just split my sides.

March 2011, a further email. This one was from an attendee of the clinic; it could have been a mistake, or they were given my domain instead of the Clinic’s.

Finally, late August 2011 I get a notification email from Gmail (not the first, but I don’t have the other to hand):

You have requested to add pr@[redacted] to your Gmail account. Confirmation code: [redacted]Before you can send mail from pr@[redacted] using your Gmail account ([redacted], please click the link below to confirm your request:

If you click the link and it appears to be broken, please copy and paste it into a new browser window. If you aren’t able to access the link, please log in to your Gmail account, and click ‘Settings’ at the top of any page. Open the ‘Accounts’ tab, and locate the email address you’d like to add in the ‘Send mail as:’ section. Then, click ‘Verify,’ and enter your confirmation
code: [redacted]

Yes, this time someone at the clinic has decided they want the ability to send email from my domain (the gmail account was one that is closely linked to the Clinic). Again, I am promised that this will not happen again. I don’t hold out much hope.

Read more…

Categories: Security Tags: ,