An inadvertent data leak that stemmed from a physician's attempt to reconfigure a server cost New York Presbyterian Hospital and Columbia University Medical Center $4.8 million to settle with the U.S. Department of Health and Human Services (HHS). The hospitals and HHS announced the voluntary settlement, which ends an inquiry into the incident, on Wednesday.
From the article:
The breach occurred in 2010 after a physician at Columbia University Medical Center attempted to "deactivate" a personally owned computer from an New York Presbyterian network segment that contained sensitive patient health information, according to the HHS.
In a joint statement, the two hospitals blamed the leakage on an "errantly configured" computer server. The error left patient status, vital signs, laboratory results, medication information, and other sensitive data on about 6,800 individuals accessible to all via the Web.
New York Presbyterian will pay $3.3 million, while Columbia will pay $1.5 million to settle the complaint. The hospitals also agreed to take "substantive" corrective action, including development of a new risk management plan and new policies and procedures for handling patient data. HHS will also be provided with periodic progress updates under the agreement.
(Score: 3, Interesting) by starcraftsicko on Friday May 09 2014, @06:10PM
Possible, but not necessary.
Again, assume that IIS is running unsecured on a windows machine with a disabled firewall located on a public ipv4 IP (like you would have if you plug to a cable modem directly, for example). It is plausible that a crawler/search engine would try to index http://aaa.bbb.ccc.ddd/ [ccc.ddd].
If directory listing is permitted... then almost anything could be indexed -- patient notes, test reports, images...
Even if it isn't, if someone created a helpful 404 error page with a relative link back to an appropriate menu or start location, information could be innocently revealed...
And I haven't seen too many robots.txt files set up for intranet services. Google and it's honest competitors wouldn't even have to be evil to index the site.
This post was created with recycled electrons.
(Score: 2) by Woods on Friday May 09 2014, @06:43PM
Dang son, that is some smart thinking. Whoever you work for needs to give you a raise, and I should be embarrassed for not being able to come up with that.
I can definitely attest to people just plugging things in wherever they go. Too many times have I seen someone bring in a router from home, plug it in to the network, and bring the company to its knees instantly.
(Score: 2) by Angry Jesus on Friday May 09 2014, @07:44PM
Not a dis on sicko, but the general scenario he described happens all the time. [wikipedia.org]