Was it a "hacker" or was it Googlebot?
Technorati Tag: Security Breach
Date Reported:
8/14/08
Organization:
Wuesthoff Health System
Contractor/Consultant/Branch:
None
Victims:
Patients
Number Affected:
"more than 500"
Types of Data:
"names, addresses and Social Security numbers" and limited medical information
Breach Description:
"A security breach in Wuesthoff Health System’s pre-registration Web site earlier this week leaked personal information on some 500 patients, Wuesthoff officials confirmed today."
Reference URL:
Florida Today (original)
Florida Today (update)
WFTV Channel 9 News
Report Credit:
Susan Jenks, Florida Today
Response:
From the online sources cited above:
BREVARD COUNTY, Fla. -- Hundreds of people in Brevard County found out Thursday if their personal information was stolen.
Names, social security numbers and even personal medical information of more than 500 patients at Wuesthoff Medical Center were posted on the Internet.
[Evan] This is where this story gets a little fuzzy. It is not clear where the information was found on the Internet, how it got there, and who put it there. There are claims that "hackers" accessed the Wuesthoff pre-registration site, but there is also the good possibility that the site was poorly secured and search engines indexed the sensitive information.
There were no physician charts or direct medical records on the site, said Lisa Crites, Wuesthoff’s associate director for media strategy, but indirect medical information could be implied, based on an upcoming treatment.
[Evan] Social Security numbers and implied medical condition information would be enough to make me concerned. Physician charts and direct medical records are not required to commit theft and fraud.
A Rockledge patient was contacted after an insurance agent in Arizona discovered the list while surfing the Web.
[Evan] Where did the insurance agent find the information?
The Medical Center shut the site down, but patients were worried because they don't know who could have seen it.
Wuesthoff Staff members believe their pre-registration Web site for patients may have been hacked into.
[Evan] Its probably easier to claim that you were a victim of a sophisticated hacker than it is to claim that your site was poorly secured.
Wuesthoff began tracking down the source or sources of the outside intrusion, which was identified late in the day.
[Evan] For Wuesthoff's sake, I hope the source wasn't something like "crawl-66-249-65-82.googlebot.com"
However, (Lisa) Crites said Wuesthoff needs subpoenas to access the information, which won't be available for several weeks.
Crites said the provider uses the same encryption technology to protect online information as banks do, but installed a new software program two weeks ago, called Google Analytics that may have provided a portal for unauthorized entry.
[Evan] Encrypted data transfers will only protect against the capture and disclosure of data in transit, it will do nothing to protect against a poorly configured or unpatched server. I have not heard of any exploits for Google Analytics, not that this means that there is not one. Sample Analytics code:
If there were a significant vulnerability in the Google Analytics code/implementation, I would think that exploits would be widespread.
Wuesthoff implemented the program to better track consumers researching its Web site, she said, and has never had a problem until now. The on-site database has been in existence since 2006
[Evan] Was there a change control process, and if so is there an information security function/sign-off?
"The breach of information does not appear to be a malicious entry," Crites said. "It was the depth and capabilities of the Google search engine."
[Evan] The Google index will only include information that is "publicly" available, meaning that it will only access information that is easily accessed by anyone without real credentials. Google will honor a robots.txt file, if one is configured. This statement seems to lead credence to the thought that this information was not properly secured, and this was not a "hack".
They were trying to figure out what happened and planned to notify all the patients Thursday.
Phone calls to all 500 patients were made Thursday as Wuesthoff began tracking down the source or sources of the outside intrusion.
Commentary:
What do you suppose really happened, and what do you suppose is the true cause of this breach? The details are not clear and seem to be contradictory.
Past Breaches:
Unknown
Date Reported:8/14/08
Organization:
Wuesthoff Health System
Contractor/Consultant/Branch:
None
Victims:
Patients
Number Affected:
"more than 500"
Types of Data:
"names, addresses and Social Security numbers" and limited medical information
Breach Description:
"A security breach in Wuesthoff Health System’s pre-registration Web site earlier this week leaked personal information on some 500 patients, Wuesthoff officials confirmed today."
Reference URL:
Florida Today (original)
Florida Today (update)
WFTV Channel 9 News
Report Credit:
Susan Jenks, Florida Today
Response:
From the online sources cited above:
BREVARD COUNTY, Fla. -- Hundreds of people in Brevard County found out Thursday if their personal information was stolen.
Names, social security numbers and even personal medical information of more than 500 patients at Wuesthoff Medical Center were posted on the Internet.
[Evan] This is where this story gets a little fuzzy. It is not clear where the information was found on the Internet, how it got there, and who put it there. There are claims that "hackers" accessed the Wuesthoff pre-registration site, but there is also the good possibility that the site was poorly secured and search engines indexed the sensitive information.
There were no physician charts or direct medical records on the site, said Lisa Crites, Wuesthoff’s associate director for media strategy, but indirect medical information could be implied, based on an upcoming treatment.
[Evan] Social Security numbers and implied medical condition information would be enough to make me concerned. Physician charts and direct medical records are not required to commit theft and fraud.
A Rockledge patient was contacted after an insurance agent in Arizona discovered the list while surfing the Web.
[Evan] Where did the insurance agent find the information?
The Medical Center shut the site down, but patients were worried because they don't know who could have seen it.
Wuesthoff Staff members believe their pre-registration Web site for patients may have been hacked into.
[Evan] Its probably easier to claim that you were a victim of a sophisticated hacker than it is to claim that your site was poorly secured.
Wuesthoff began tracking down the source or sources of the outside intrusion, which was identified late in the day.
[Evan] For Wuesthoff's sake, I hope the source wasn't something like "crawl-66-249-65-82.googlebot.com"
However, (Lisa) Crites said Wuesthoff needs subpoenas to access the information, which won't be available for several weeks.
Crites said the provider uses the same encryption technology to protect online information as banks do, but installed a new software program two weeks ago, called Google Analytics that may have provided a portal for unauthorized entry.
[Evan] Encrypted data transfers will only protect against the capture and disclosure of data in transit, it will do nothing to protect against a poorly configured or unpatched server. I have not heard of any exploits for Google Analytics, not that this means that there is not one. Sample Analytics code:
If there were a significant vulnerability in the Google Analytics code/implementation, I would think that exploits would be widespread.
Wuesthoff implemented the program to better track consumers researching its Web site, she said, and has never had a problem until now. The on-site database has been in existence since 2006
[Evan] Was there a change control process, and if so is there an information security function/sign-off?
"The breach of information does not appear to be a malicious entry," Crites said. "It was the depth and capabilities of the Google search engine."
[Evan] The Google index will only include information that is "publicly" available, meaning that it will only access information that is easily accessed by anyone without real credentials. Google will honor a robots.txt file, if one is configured. This statement seems to lead credence to the thought that this information was not properly secured, and this was not a "hack".
They were trying to figure out what happened and planned to notify all the patients Thursday.
Phone calls to all 500 patients were made Thursday as Wuesthoff began tracking down the source or sources of the outside intrusion.
Commentary:
What do you suppose really happened, and what do you suppose is the true cause of this breach? The details are not clear and seem to be contradictory.
Past Breaches:
Unknown
Posts Atom 1.0
Comments