Walter Reed Army Medical Center breach through P2P
Technorati Tag: Security Breach
Date Reported:
6/2/08
Organization:
United States Army
Contractor/Consultant/Branch:
Walter Reed Army Medical Center ("WRAMC")
Victims:
"Military Health System beneficiaries" or patients
Number Affected:
~1,000
Types of Data:
"Names, Social Security numbers, birth dates and other information"
Breach Description:
"WASHINGTON (AP) — Sensitive information on about 1,000 patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security breach, sparking identity theft concerns and an investigation by the Army."
Reference URL:
Walter Reed Army Medical Center News
WISH TV Channel 8 News
Report Credit:
Walter Reed Army Medical Center
Response:
From the online sources cited above:
WASHINGTON (AP) — Sensitive information on about 1,000 patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security breach, sparking identity theft concerns and an investigation by the Army.
Names, Social Security numbers, birth dates and other information was released, hospital officials said Monday.
[Evan] This information belongs mostly to military personnel that were patients of WRAMC. The victims are the people that defend this country. Grrr.
The computer file that was breached did not include information such as medical records, or the diagnosis or prognosis for patients, they said.
Walter Reed officials declined to explain exactly how the information was compromised, pending an ongoing investigation by the hospital and the Army.
[Evan] There is more insight into the cause of the breach below. Keep reading.
Preliminary results of an on-going investigation have identified a computer from which the data was apparently compromised.
Data security personnel from Walter Reed and the Department of the Army continue to investigate the source and causes for the information compromise.
The medical center learned of the breach on May 21 from an outside data mining company, which officials did not identify.
the company was working for another client, found the file and contacted Walter Reed.
The hospital said it is working to notify all of the people named in the data file. Letters or e-mails were being sent out, beginning Monday.
The chairman of the House Armed Services Committee, Rep. Ike Skelton, D-Mo., said he wants to hear from the Army about its investigation.
"It's very troubling when private data is inappropriately released," Skelton said. "We must ensure that personal information is protected and prevent any future compromise of patient records."
[Evan] Obviously easier said than done.
Walter Reed plans to offer free credit protective services to patients whose information was revealed.
The hospital also has set up a hot line for people to call to see if their information was disclosed (1-, ext. 9).
The Health Insurance Portability and Accountability Act of 1996 protects patients from unauthorized release of their health records. The Walter Reed Army Medical Center has a robust information assurance program that meets all program standards and requirements. The compromised data file did not include protected health information such as medical records, diagnosis or prognosis for patients.
Message to "Team WRAMC" from COL Patty Horoho:
I want to ensure that each of you have an understanding of what may be in the papers regarding possible disclosure of personal data. Walter Reed officials were notified of a possible disclosure of personally identifiable information through a Peer to Peer (P2P) network of approximately 1000 Military Health System beneficiaries. The information did NOT contain any protected health information such as medical records, diagnosis or prognosis for patients. The individuals impacted have been identified and we are taking a proactive approach to contact them to assist in providing fraud protection services. Below is the media release we sent out will provide more details. A 24/7 hotline has been established in the Combined Operations Center, or ext 9 and a info site on the web page is also being created.
I need everyone to ensure that they are not loading or down loading programs that are not authorized by the command as it increases our vulnerability and possibly can cause a breach in protected information being shared.
Commentary:
So the cause of this breach was an unauthorized installation and configuration of a Peer to Peer (P2P) program. My concerns about this revolve around the ability to install the application and the inability of WRAMC personnel to block and/or detect the network traffic.
The installation of computer programs on a computer usually require elevated privileges such as administrative access. Are users of WRAMC information resources also administrators of their systems? If so, this is generally not a good idea.
P2P programs such as BitTorrent, Morpheus, Lime Wire, etc. are dependent upon a network to work, thus the "Peer to Peer". Most, if not all P2P network traffic is easy to block and/or detect with any combination of filtering, network access control and intrusion detection or prevention. Are these technologies not in use at WRAMC?
Lastly, what is WRAMC policy with respect to acceptable use and network access? There is no mention in the news reports.
Past Breaches:
April, 2008 - Excel Spreadsheet on the web exposes Army officers and civilians
Date Reported:6/2/08
Organization:
United States Army
Contractor/Consultant/Branch:
Walter Reed Army Medical Center ("WRAMC")
Victims:
"Military Health System beneficiaries" or patients
Number Affected:
~1,000
Types of Data:
"Names, Social Security numbers, birth dates and other information"
Breach Description:
"WASHINGTON (AP) — Sensitive information on about 1,000 patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security breach, sparking identity theft concerns and an investigation by the Army."
Reference URL:
Walter Reed Army Medical Center News
WISH TV Channel 8 News
Report Credit:
Walter Reed Army Medical Center
Response:
From the online sources cited above:
WASHINGTON (AP) — Sensitive information on about 1,000 patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security breach, sparking identity theft concerns and an investigation by the Army.
Names, Social Security numbers, birth dates and other information was released, hospital officials said Monday.
[Evan] This information belongs mostly to military personnel that were patients of WRAMC. The victims are the people that defend this country. Grrr.
The computer file that was breached did not include information such as medical records, or the diagnosis or prognosis for patients, they said.
Walter Reed officials declined to explain exactly how the information was compromised, pending an ongoing investigation by the hospital and the Army.
[Evan] There is more insight into the cause of the breach below. Keep reading.
Preliminary results of an on-going investigation have identified a computer from which the data was apparently compromised.
Data security personnel from Walter Reed and the Department of the Army continue to investigate the source and causes for the information compromise.
The medical center learned of the breach on May 21 from an outside data mining company, which officials did not identify.
the company was working for another client, found the file and contacted Walter Reed.
The hospital said it is working to notify all of the people named in the data file. Letters or e-mails were being sent out, beginning Monday.
The chairman of the House Armed Services Committee, Rep. Ike Skelton, D-Mo., said he wants to hear from the Army about its investigation.
"It's very troubling when private data is inappropriately released," Skelton said. "We must ensure that personal information is protected and prevent any future compromise of patient records."
[Evan] Obviously easier said than done.
Walter Reed plans to offer free credit protective services to patients whose information was revealed.
The hospital also has set up a hot line for people to call to see if their information was disclosed (1-, ext. 9).
The Health Insurance Portability and Accountability Act of 1996 protects patients from unauthorized release of their health records. The Walter Reed Army Medical Center has a robust information assurance program that meets all program standards and requirements. The compromised data file did not include protected health information such as medical records, diagnosis or prognosis for patients.
Message to "Team WRAMC" from COL Patty Horoho:
I want to ensure that each of you have an understanding of what may be in the papers regarding possible disclosure of personal data. Walter Reed officials were notified of a possible disclosure of personally identifiable information through a Peer to Peer (P2P) network of approximately 1000 Military Health System beneficiaries. The information did NOT contain any protected health information such as medical records, diagnosis or prognosis for patients. The individuals impacted have been identified and we are taking a proactive approach to contact them to assist in providing fraud protection services. Below is the media release we sent out will provide more details. A 24/7 hotline has been established in the Combined Operations Center, or ext 9 and a info site on the web page is also being created.
I need everyone to ensure that they are not loading or down loading programs that are not authorized by the command as it increases our vulnerability and possibly can cause a breach in protected information being shared.
Commentary:
So the cause of this breach was an unauthorized installation and configuration of a Peer to Peer (P2P) program. My concerns about this revolve around the ability to install the application and the inability of WRAMC personnel to block and/or detect the network traffic.
The installation of computer programs on a computer usually require elevated privileges such as administrative access. Are users of WRAMC information resources also administrators of their systems? If so, this is generally not a good idea.
P2P programs such as BitTorrent, Morpheus, Lime Wire, etc. are dependent upon a network to work, thus the "Peer to Peer". Most, if not all P2P network traffic is easy to block and/or detect with any combination of filtering, network access control and intrusion detection or prevention. Are these technologies not in use at WRAMC?
Lastly, what is WRAMC policy with respect to acceptable use and network access? There is no mention in the news reports.
Past Breaches:
April, 2008 - Excel Spreadsheet on the web exposes Army officers and civilians
Posts Atom 1.0
Comments