New and expectant parent information exposed online
Technorati Tag: Security Breach
Date Reported:
10/19/08
Organization:
MediCorp Health System
Contractor/Consultant/Branch:
Mary Washington Hospital
Location:
Fredericksburg, Virginia
Victims:
"maternity patients"
Number Affected:
803
Types of Data:
Personal information including "Social Security numbers, phone numbers, address, insurance carrier", date of birth and doctor's name.
Breach Description:
"A security breach in an online computer system at Mary Washington Hospital exposed the private medical information of some of its maternity patients."
Reference URL:
The Free Lance-Star
Report Credit:
Jim Hall, The Free Lance-Star, special thanks to informed reader Rob at InsideIDTheft.info
Response:
From the online source cited above:
A security breach in an online computer system at Mary Washington Hospital exposed the private medical information of some of its maternity patients.
[Evan] Seriously! Don't you think expectant parents have enough emotion to deal with? Hormones are flyin' already.
A man who tried to use the Fredericksburg hospital's online registration system for his expectant wife said the files for 803 patients were publicly available on the site.
On Friday, a hospital official described the breach as an "anomaly."
[Evan] An anomaly explains something that is irregular or a deviation from the norm. This breach was seemingly caused by terrible web site (security) design, which may not be a deviation from the norm at the hospital. What may be construed as irregular is the way the breach was found (more below). How do you think white hats (good), black hats (bad), script kiddies, hacktivists, et al. find and capitalize upon the information they typically find or acquire? By deviating from the norm, i.e. using systems in ways that differ from the way they were originally intended to be used. You get what I am saying? Describing this breach as an anomaly as some sort of excuse (or minimization) doesn't work here.
She said the man was the only person to see the files, that he opened only two of them and that he did not print or download any data.
[Evan] This can be verified and how? Are we safe to assume that the hospital employs the necessary detective controls (logging, intrusion detection/prevention, etc.) to back up this assertion?
"We believe that this is a one-time incident," said Kathleen Allenbaugh, hospital spokeswoman.
Hospital officials first learned of the breach when a Spotsylvania County sheriff's deputy notified them that the online registration feature at the MediCorp.org Web site was not working correctly.
Rebecca and Gary Dennison, a Spotsylvania couple, had contacted police after learning that their private medical information was visible on the site.
Dennison said last week that a stranger who gave his name as "Mike" called her house the night of Saturday, Oct. 11, to tell her that he was looking at private information about her and her husband on the MediCorp site.
[Evan] "Mike" is the man that stumbled upon the sensitive non-public information. If you stumble upon or otherwise discover a breach, I wouldn't recommend calling a breach victim directly. Especially at 11 o'clock at night. This could open up a whole can o' worms. In most cases, I would recommend reporting the incident to the organization who is/was responsible. If nothing comes of that, then report the incident to the authorities.
The man knew the couple's Social Security numbers, phone numbers, address, insurance carrier, her birth date and her doctor's name.
"I was in shock," she said. "I didn't know what to do. It was 11 o'clock at night." (Rebecca Dennison)
Dennison called her husband, who contacted the Sheriff's Office after talking with Mike. A Spotsylvania deputy called Mike and then called the hospital.
Reached by phone last week, Mike said he was reluctant to talk about the incident, and agreed to do so only if his last name was not be used.
"I didn't want to cause any trouble for anybody," he said.
He said he went to the MediCorp site to register his wife for her delivery
he had trouble with the site, and at one point got a "certificate is revoked" error message
he went to the address bar to delete the end of the long Web address, thinking that might help
Instead, he ended up at a series of internal pages that contained private information for 803 people, apparently everyone who had registered online for a delivery since Dec. 27, 2007
[Evan] Terrible site design.
"It took me a while to sink in what I was looking at,"
Eventually he concluded, "Oh, this is not good."
He said he picked several people at random and called to warn them. Only Dennison answered her phone.
[Evan] Again, not recommended. This could have put "Mike" into a compromising position.
Mike said that when the Spotsylvania deputy called him, he again explained what had happened.
The deputy concluded that "it wasn't a criminal matter," said First Sgt. Liz Scott of the Sheriff's Office.
"Certainly it was a serious glitch in their system," Scott added.
Allenbaugh said the hospital has contacted one of the people whose files Mike opened and is attempting to notify the other.
[Evan] Judging from this statement, it doesn't appear as though the hospital has intentions of notifying the other 801 people affected. Should they?
The online registration form has been taken down.
Commentary:
Incidents like this are more common when sites and programs are built with a feature-rich experience in mind first and foremost, and security is an after-thought. I don't know if this was the case in this breach, but it seems likely. Building applications (web, stand-alone, client/server, etc.) which include information security at a very early stage in the process are much more effective and have the potential to prevent incidents like this. Equally as important is on-going testing and improvement.
Past Breaches:
Unknown
Date Reported:10/19/08
Organization:
MediCorp Health System
Contractor/Consultant/Branch:
Mary Washington Hospital
Location:
Fredericksburg, Virginia
Victims:
"maternity patients"
Number Affected:
803
Types of Data:
Personal information including "Social Security numbers, phone numbers, address, insurance carrier", date of birth and doctor's name.
Breach Description:
"A security breach in an online computer system at Mary Washington Hospital exposed the private medical information of some of its maternity patients."
Reference URL:
The Free Lance-Star
Report Credit:
Jim Hall, The Free Lance-Star, special thanks to informed reader Rob at InsideIDTheft.info
Response:
From the online source cited above:
A security breach in an online computer system at Mary Washington Hospital exposed the private medical information of some of its maternity patients.
[Evan] Seriously! Don't you think expectant parents have enough emotion to deal with? Hormones are flyin' already.
A man who tried to use the Fredericksburg hospital's online registration system for his expectant wife said the files for 803 patients were publicly available on the site.
On Friday, a hospital official described the breach as an "anomaly."
[Evan] An anomaly explains something that is irregular or a deviation from the norm. This breach was seemingly caused by terrible web site (security) design, which may not be a deviation from the norm at the hospital. What may be construed as irregular is the way the breach was found (more below). How do you think white hats (good), black hats (bad), script kiddies, hacktivists, et al. find and capitalize upon the information they typically find or acquire? By deviating from the norm, i.e. using systems in ways that differ from the way they were originally intended to be used. You get what I am saying? Describing this breach as an anomaly as some sort of excuse (or minimization) doesn't work here.
She said the man was the only person to see the files, that he opened only two of them and that he did not print or download any data.
[Evan] This can be verified and how? Are we safe to assume that the hospital employs the necessary detective controls (logging, intrusion detection/prevention, etc.) to back up this assertion?
"We believe that this is a one-time incident," said Kathleen Allenbaugh, hospital spokeswoman.
Hospital officials first learned of the breach when a Spotsylvania County sheriff's deputy notified them that the online registration feature at the MediCorp.org Web site was not working correctly.
Rebecca and Gary Dennison, a Spotsylvania couple, had contacted police after learning that their private medical information was visible on the site.
Dennison said last week that a stranger who gave his name as "Mike" called her house the night of Saturday, Oct. 11, to tell her that he was looking at private information about her and her husband on the MediCorp site.
[Evan] "Mike" is the man that stumbled upon the sensitive non-public information. If you stumble upon or otherwise discover a breach, I wouldn't recommend calling a breach victim directly. Especially at 11 o'clock at night. This could open up a whole can o' worms. In most cases, I would recommend reporting the incident to the organization who is/was responsible. If nothing comes of that, then report the incident to the authorities.
The man knew the couple's Social Security numbers, phone numbers, address, insurance carrier, her birth date and her doctor's name.
"I was in shock," she said. "I didn't know what to do. It was 11 o'clock at night." (Rebecca Dennison)
Dennison called her husband, who contacted the Sheriff's Office after talking with Mike. A Spotsylvania deputy called Mike and then called the hospital.
Reached by phone last week, Mike said he was reluctant to talk about the incident, and agreed to do so only if his last name was not be used.
"I didn't want to cause any trouble for anybody," he said.
He said he went to the MediCorp site to register his wife for her delivery
he had trouble with the site, and at one point got a "certificate is revoked" error message
he went to the address bar to delete the end of the long Web address, thinking that might help
Instead, he ended up at a series of internal pages that contained private information for 803 people, apparently everyone who had registered online for a delivery since Dec. 27, 2007
[Evan] Terrible site design.
"It took me a while to sink in what I was looking at,"
Eventually he concluded, "Oh, this is not good."
He said he picked several people at random and called to warn them. Only Dennison answered her phone.
[Evan] Again, not recommended. This could have put "Mike" into a compromising position.
Mike said that when the Spotsylvania deputy called him, he again explained what had happened.
The deputy concluded that "it wasn't a criminal matter," said First Sgt. Liz Scott of the Sheriff's Office.
"Certainly it was a serious glitch in their system," Scott added.
Allenbaugh said the hospital has contacted one of the people whose files Mike opened and is attempting to notify the other.
[Evan] Judging from this statement, it doesn't appear as though the hospital has intentions of notifying the other 801 people affected. Should they?
The online registration form has been taken down.
Commentary:
Incidents like this are more common when sites and programs are built with a feature-rich experience in mind first and foremost, and security is an after-thought. I don't know if this was the case in this breach, but it seems likely. Building applications (web, stand-alone, client/server, etc.) which include information security at a very early stage in the process are much more effective and have the potential to prevent incidents like this. Equally as important is on-going testing and improvement.
Past Breaches:
Unknown
Posts Atom 1.0
Comments