Hospital unresponsive to multiple alerts about stolen data

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.networkworld.com/community/blog/hospital-unresponsive-multiple-alerts-about-stolen-data

Security experts trying to tell a rural hospital that a pile of its
sensitive data belonging to staff and possibly patients sits exposed
on the Internet have been stymied for five days now by the fact that
no one at the medical facility will respond to their repeated
warnings.

Moreover, says one of the experts, this kind of situation happens with
alarming regularity.

"This is more commonplace than you might suspect," says a healthcare
professional who volunteers for the Open Security Foundation and blogs
about privacy issues under the pseudonym Dissent Doe.  "I've gone
through hoops trying to notify various city agencies at times, and
have gotten no responses to attempts to alert a major Canadian
newspaper, a major U.S. health insurer where patient info was
available on the web if you knew where to look, and a number of small
businesses. And those are just the ones I can recall offhand."

In the case of the rural hospital - which Dissent Doe isn't naming out
of concern that its server is still vulnerable - she and another OSF
member have made multiple phone calls, filled out a formal
(outsourced) service desk ticket addressed to the hospital's sysadmin
and technical analyst, and sent a direct email to the hospital's CEO.

They've gotten no response.

"The data were dumped on one of the ever-popular paste sites for
hackers. Some of the data appear to be from their physician directory,
which is no big deal. But there are other databases dumped that
contain personally identifiable info such as contact details.  One of
the databases might be of newsletter subscribers. The other one...
well, I have no clue.  There are also a few names with email
addresses, usernames, and encrypted passwords. I don't know whether
those are admin passwords to the server."

Dissent Doe is trying one more approach to get the hospital's attention.

"I did speak with a reporter local to them who will be contacting
them," she says. "My hope is that they'll take a phone call from a
reporter if they won't respond to us. At least that way they'll find
out they have a problem."

Contacting the local press is always an excellent idea, no matter the
issue involved.

Dissent Doe's blog post on the OSF website gets into more detail about
her efforts to contact the hospital and also offers a list of best
practices for organizations that would like to be more responsible.

"Every hospital tells patients that they take the privacy and security
of their information seriously," she writes. "I wouldn't believe them
if they don't respond to security alerts and make people jump through
hoops just to try to inform them that they may have had a breach
involving personal information. And I certainly wouldn't believe any
hospital that doesn't even return a phone call when you have left them
a message that they may have a security problem with their
public-facing server."

(Update: According to a story in the Pittsburgh Tribune-Review, the
facility in question is Uniontown Hospital, whose VP of HR and
marketing says they were already aware of the breach and had rectified
it. Even if that's true, Dissent Doe notes: "Of course, that doesn't
explain why they didn't have the courtesy to respond when they could
see that we were trying to alert them.")
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.