Contractor Folds After Causing Breaches

talkinsecurity writes "A single contractor, privately-held Verus Inc., has been traced as the source of no less than five hospital security breaches in the past two months — and those breaches have put the company out of business in a matter of weeks. Verus, which managed the websites of as many as 60 of the country's largest hospitals, has folded its entire business within the past few weeks, without a word to anyone. Apparently, a single IT error led to the exposure of at least five hospitals' patient data — at least 100,000 individuals' personal information — and caused Verus' primary investor to pull the plug. The hospitals, which initially reported their breaches separately, were left with no one to sue."

left with no one to sue

[YrWrstNtmr]

The hospitals, which initially reported their breaches separately, were left with no one to sue."

I'd start with the ex-CEO. The 'company' did not make decisions, people did. They should be held accountable.

Re:left with no one to sue

I'd start with the ex-CEO. The 'company' did not make decisions, people did. They should be held accountable.

Not if they're a corporation.

People think that anti-corporation people are all hippies who want every business to be a small business. Not the case at all. I'm very anti-corporation, not because I care about size (which I don't), or care that they're putting small business out of business (because I don't care: the big guys give me a better price).

Rather, it's because when a small business messes up, people are held liable.

When a corporation messes up, NO ONE is held liable, except in extreme cases. The "corporation" is itself a legal entity, just like you or I, which absolves the responsibility for the actions of the people who work for it. This is bullplop. If I personally sell something that has a lethal defect, why can't I just wave my hands and absolve myself of the consequences? Is it because I don't have enough employees or because I don't have stock? Or is it because the government created the legal entity known as the "corporation" for the express purpose of shielding wealthy people from the consequences of bad business?

Can't pass the buck

[nicolaiplum]

You can outsource work but you can't outsource responsibility.
And if you think the supplier will always be around to sue later, and suing them is your only plan, you're a fool.

Re:Can't pass the buck

[Keys1337]

you can't outsource responsibility.

What's that thing called insurance do?

Capitalism Rules!

[FatSean]

Lots of people on slashdot extoll the virtues of un-fettered capitalism. "No need for government regulation, sue those who breach their contract!". Unfortunately, when the company folds protecting the stakeholders there is nobody left to sue! Oooops! There goes that darn accountability!

Re:Capitalism Rules!

[marx]

That's the whole point of a corporation though (Wikipedia):

A corporation is a legal entity (technically, a juristic person) which has a separate legal personality from its members.

If you take away the property that the members aren't personally liable, then it's no longer a corporation, but some other type of organization.

Re:Capitalism Rules!

[CmdrGravy]

Right, so then no one forms a company to do anything at all, no capital can be raised and nothing gets done.

Re:Capitalism Rules!

[thc69]

Unfortunately, when the company folds protecting the stakeholders there is nobody left to sue! Oooops! There goes that darn accountability!

Eh? The company was destroyed. If you think the company should be punished, is there any better punishment? Isn't this a good thing? It means that the company is not going to do that again. Maybe it would satisfy people if the guy killed himself?

Can he magically make the security breaches un-happen?

At most, if the company stayed around, it could be sued for the costs involved in the cleanup -- but the only winners there would be the lawyers.

Re:Capitalism Rules!

[Opportunist]

Like you could sue a corporation when it still exists.

Take Sony and the distribution of malware with its CDs. A person (read: human being) would be doing time for it. Read the law. Creation and distribution of malware on a commercial premise. Fits like a glove in this case. Punishable, depending on your country, with up to 10 years in jail. Especially when you can credibly claim that the person in question actually did pursue commercial interests (which is trivial in this case).

But you can't do that to an international corporation! First of all, how do you imprison Sony? And think of all the jobs! And think of the tax (yeah, right, like I didn't pay more tax than Sony, in percent of my income...). And think of the political...

Bullcrap. In a nutshell, corporations are above the law. They can break them as they want and if anything, they get a waggle of a finger and a puppy eyed "please, please don't do it again, mmmkay?"

Re:Capitalism Rules!

[letxa2000]

Someone: If you take away the property that the members aren't personally liable, then it's no longer a corporation, but some other type of organization.

Someone else: Right, so get rid of corporations.

Forget that! It's a vicious circle. Aside from it not being easy to get funding, investments, loans, etc. as an individual for business purposes, in this sue-happy society we live in, someone would have to be almost crazy to launch a business under their name. I have my own business and I stand behind my products and services and, to-date, no-one has even threatened to sue me. But that doesn't mean it will never happen or that there will never be a complete jerk of a customer that decides to litigate something that should just be worked out between the two parties.

Despite my best intentions and best efforts, there's no way I'm going to bet my family's economic future on whether or not some *sshole is going to launch a frivolous lawsuit. Which is why I have a business to protect me from personal liability. Not because I'm trying to avoid responsibility, but because it's dangerous to do business any other way.

If we could get some reasonable legal reform passed to reduce lawsuit (perhaps as simple as "loser pays, plus some extra amount to the winner for time and trouble"), then perhaps we'd have fewer absurd lawsuits and at that point it'd be reasonable to talk about holding individuals more legally and personally responsible even if there's a corporate shield. But for the time being, no way. The corporate shield might occasionally protect the bad guys, but it also protects millions of well-meaning entrepreneurs from vicious and frivolous lawsuits that could threaten their family which, in turn, would reduce the number of entrepreneurs. And that'd be a BAD thing.

Re:Capitalism Rules!

[MightyMartian]

Get rid of the notion of limited liability for corporate officers. Simply alter corporate law so that corporate officers can be held directly accountable, so that when Mega-Chemical Corporation spills toxins into public drinking water, not only is the corporation taken to the cleaners, but the officers of the company are also taken to the cleaners. Thus, even if Mega-Chemical Corporation folds, we can still get our pound of flesh out of the officers.

I'd wager it would be a boon for corporate governance if these turkeys knew that they would feel the weight of full liability.

Re:Capitalism Rules!

[RexRhino]

Yes, but nothing's stopping these people from forming a new company and doing the same thing again.

Of course there is... the fact that they lost their shirts and destroyed their reputations pretty much means they are never going to start another company providing the same services ever again!

Re:Capitalism Rules!

[WNight]

So people shouldn't be able to write their liability off on the chance of there being someone else to pass the buck to later. These hospitals are now discovering where the liability stops...

If the hospitals had thought they were on the hook for the results of these systems they'd have demanded far simpler ones they could audit. Instead they buy a more complex system because of lies about its safety. This makes it almost impossible for honest firms to compete. If you discuss security issues you sound like more of a risk than the people who hand-wave them away.

Well, companies that haven't been burned don't realize the value of proper design. Just like people who've never witnessed a bridge collapse are reluctant to spend more for a sturdier design.

Re:And that's the problem with corporations

[grogdamighty]

Ah, so the board of directors should be sued for all of their personal assets in order to pay for Joe Coder's mistake in leaving a backdoor opens. How many people do you think would start up businesses if they knew mistakes made by any employee could bankrupt them?

HIPPA

[morgan_greywolf]

HIPPA laws are no joke. There are serious fines and even criminal penalties for letting confidential patient records out. It's so serious that companies working with health care data often have special training programs for their employees that handle any sort of hospital data -- even for IT workers.

Verus probably folded to keep from getting heavily penalized and/or to prevent its directors from being criminally prosecuted under HIPPA.

Well now...

[MrNaz]

"The hospitals, which initially reported their breaches separately, were left with no one to sue."

In this day and age, all I can say is BOO HOO.

Re:And that's the problem with corporations

[Raul654]

Engineers are legally responsible for all of the design decisions that go into their work. I see no reason now to hold corporate shills - erm, CEOs and other board members - to the same standard.

Re:And that's the problem with corporations

Ah, so the board of directors should be sued for all of their personal assets in order to pay for Joe Coder's mistake in leaving a backdoor opens.

Yes. In fact, sue the shareholders as well-- it's their company.

How many people do you think would start up businesses if they knew mistakes made by any employee could bankrupt them?

Wow, that's retarded, even for /. Business is about risk. If they're not prepared to assume that risk, then they should stay the hell out of business.

Re:Can someone explain

[Dancindan84]

can someone explain a situation where a computer would need to have its firewall dropped totally merely to transfer data from one system to another? A) Laziness (didn't want to set up a VPN or just open the necessary ports)
B) PEBKAC (didn't know how to do the above, or at least do it properly)
C) ID Ten T (knew how to do it, but didn't think it was a "big deal")
D) Some combination of A, B and C

Re:Personal liability is not a solution

[Jah-Wren+Ryel]

In my opinion, this company has already been punished for their mistake. They exist no more. The employees who made the mistake have already lost their jobs. What would be the purpose of suing? Revenge? I tend to agree with you, especially since the problem didn't kill anyone. But, some questions remain - we don't know how much influence that primary investor had over operations. What are the chances that he will just open up shop again under a different corporate charter and continue the same sort of poor practices that got his first company in trouble?

I think corporate death like this is a good thing if it results in the rest of the industry internalizing the consequences of poor practices. But if the problems remain, than the mere dissolution of the corporation is not sufficient.

hmm

[thatskinnyguy]

Enron folded after some financial misdeeds. The investors still had someone to sue. There is always someone to sue.

Knee jerks the wrong way

[bhmit1]

Of course the knee jerk reaction is to make corporations more accountable, raise the risks for the owners, etc. As others have pointed out, no one would want to run a corporation where they are liable not just for doing their job, but being sure that no mistakes were made by anyone else (like the IT worker turning off a firewall, or the janitor that doesn't put down a wet floor sign). Take the current executive pay and bump it up by a factor of 10. Honestly, all the barriers, rules, legal risk, etc are part of the reason big companies have gotten so big.

Also, lets not forget that if the executives really did something wrong, closing the business isn't enough. There's still a legal record of who owned the business when the breach occurred. What the hospitals are upset about is that the investors stopped putting money into the company which they could try to get their hands on. The investors already lost because the company folded, they never saw a return on their money, and probably lost their principle, too. As did the shareholders (stock=0), employees (no unemployed, a few of them rightfully so), executives (with a black mark on their record for something they didn't do), etc. Anyone who walks away from a folded company as a winner either did nothing wrong, scammed the system, or was really good and didn't get caught. None of which appears to have happened here.

If you want to be anti-big business, you need to cut down the barriers so that "locally owned" has a fighting chance against the "benefits of scalability".

Re:And that's the problem with corporations

[Raul654]

How many thousands of people lost their life savings when Enron folded? (Days before the end, the CEOs and other higher ups were selling their stock like it was on fire, while other investors - mostly employees of the state of California - were locked-out and unable to sell their holdings). What about MCI/Worldcom? What about ValueJet, which had dozens of safety violations prior to the crash of Flight 592 and for which the company was later indicted on 100+ counts of murder? What about Power Fasteners, which did such a shoddy job of constructing the Big Dig that the roof collapsed and killed someone (they were also indicted). What about ExonMobile, which (as a result of its operations 1888-present) is responsible for something like 5-8% of all global warming and will almost certainly face future lawsuits about it? Corporations can and willingly cause massive destruction on a global scale. They destroy lives, but they are ultimately a legal fiction created for the purpose of shielding the true decision makers from the legal liability of their decisions.

Re:All right IT monkeys..

[archen]

Looking at the clues here: File transfer + Firewall + needed to drop firewall... I'd say it was probably someone who couldn't figure out passive ftp. Needless to say they were transferring the data without encryption in the first place.

Re:in a country with the death penalty?

[Overzeetop]

Who's going to want to be a director? At the salaries these places pay, there will be people knocking at the door. And I wouldn't worry too much about the death penalty - captial murder has very narrow limits. I think the CxO would still have to stalk and kill someone to be eligible.

No one to sue...

[Glen+Ponda]

The hospitals, which initially reported their breaches separately, were left with no one to sue.

A US-ian's worst nightmare, no one to sue. Do you really exist if you've no one to sue?

Things did get done before corporations

[spun]

There are still partnerships, the only thing we'd need to do away with is the whole limited liability thing.

Re:Things did get done before corporations

[CodeBuster]

Limited liability is a double edged sword to be sure, but IMHO society is better of with the concept than without it. Consider bankruptcy for example, that is a form of "limited liability" as it applies to the individual. It ensures that your creditors cannot pursue you until to your dying day for your last penny due to circumstances beyond your control. There are abuses sometimes yes, and do not think that this investor is home free, if a lawyer can prove negligence in the breaches AND that the investor knew about the problems and did nothing then the investor can be held accountable for negligence, limited liability or not. The concept of limited liability exists to protect people from personal ruin from forces beyond their control, but it is not carte blanch to commit fraud, breach contract, or engage in negligent behavior.

Re:And that's the problem with corporations

[SillySlashdotName]

CEOs and their cohorts make very good money to direct and lead their companies, but they are not personally responsible for the results of their leadership and direction.

Boards of Directors are supposed to be outside overseers who make sure those INSIDE the company are not blinded by internal goals and policies or politics; they are PAID to provide an outside view and unbiased viewpoint.

My point is that there is already several layers of 'leadership' that are supposed to be providing adhearance to standards, rules, and laws, and that those layers are WELL paid for that function. I don't see a hugh additional burden in making them legally responsible for performing (or not performing) their function.

Hold them responsible for Joe Coder's mistake? No, but the company should be responsible for ensuring that Joe Coder can not - through stupidity, incompetence, or accident - do something like the article and destroy the company/corporation. If safeguards are not in place, then SOMEONE should be responsible for the screwup, and the BoD and CEO, COO, CIO, etc SHOULD BE held responsible for not having safeguards in place.

"We hired the best coder minimum wage could buy and turned them loose without any oversight" is not sufficient to absolve them of responsibility, at least in my mind.

I know Tom Lawry

[PIPBoy3000]

Tom Lawry, the CEO of Verus, is someone I've known for over ten years. He used to work for our healthcare organization and was one of the first people to "get it" over the Internet. He pushed for the formation of our web services team and sold the organization on making an Intranet when the whole thing was seen as a big fad.

Afterwards he went on to form his own company, but still hung around as a consultant. He wasn't particularly technical, but was very good at navigating through the political issues that often come up with organizational change. For example, switching from paper to online job applications was fairly exciting, if only getting our various regions to agree on a single form.

In later years, we had our disagreements with Tom. I wasn't too happy on how he assisted with our Internet site (his organization was starting to get into the web design business). As a person, he was always kind and thoughtful, despite his various business endeavors. He'd talk about his kid, how expensive going out to a movie in Seattle was getting, or tell stories about the Sisters from his time working at our organization (we're a Catholic healthcare organization).

We were actually just starting to sign up to use his latest product (a clinic billing system). He was partnering with our medical record system vendor and it seemed reasonably good. Fortunately we didn't have any security breaches related to this incident, but it seems to have been blind luck to some degree.

I think it's impossible for any CEO, even if they have a technical background, to be aware of every technical issue within their organization. In any complex endeavor, there's just too much going on. At this point, it seems like Tom has suffered quite a bit already. He's lost the business he's spent a decade growing. Prosecutors are looking into criminal charges. I don't know how he'll recover professionally. I'm sure he'll spend the rest of his life second-guessing what he should have done better. Hired different people? Brought in an outside auditor?

For me, it was a reminder that everything can just disappear in a flash. Cherish what you've got.

Not a big thing really

[xednieht]

While HIPPA and all the other regs apply to the US, the medical industry and insurance companies outsource tons of data services to cheap off-shore companies that don't adhere to the regs.

With a couple of dollars and a few phone calls you can get mountains of patient data from overseas.

Re:And that's the problem with corporations

[Opportunist]

Let me clue you in how this works in many corporations.

The lot that makes up the top level management is usually small. You know each other. You see each other on various occasions. Doesn't it strike you as odd that every time some manager needs to "take a break" because his blunders were too obvious that miraculously someone from abroad comes in to take over? Guess what he did there. He needed a break.

The group is small and very selective who it allows into its ranks. You don't just get a ton of degrees from various business schools and then suddenly get an invitation to a talk whether you should be the next CEO of Siemens or Bosch.

This group, now, forms the whole lot. The CEO, the board, the whole levels and circles meant to control each other. And if you behave, next time you may be the CEO.

Re:And that's the problem with corporations

[letxa2000]

The hospitals, which initially reported their breaches separately, were left with no one to sue.

No-one to sue? Oh my gosh, it's the end of the world! How can there possibly be no-one to sue? No business or individual is complete if they don't have someone to sue. Oh, the humanity!

Re:And that's the problem with corporations

[Phanatic1a]

Reality check : Most programmers are under commercial pressures from managers and customers.

Reality check: Most engineers are under commercial pressures from managers and customers. That doesn't mean that if my boss wants me to use paper clips instead of my recommendation of high-tensile steel bolts, I'm on firm ethnical ground saying "Okay, paper clips it is." I have a professional, ethical responsibility to not build shoddy product. Don't programmers?

Re:External security auditors were needed

[CodeBuster]

Turning off the firewall is not as uncommon as you might think, especially at smaller companies where the inexperienced network administrator (the company didn't want to shell out for a decent admin) is under pressure from above to just "make it work" or "turn off the firewall so that our sales drone can demo the product to a client". The managers attempt to override objections from the engineers with promises that, "it is only for 15 minutes" or other false assurances, as if the engineers are only issuing warnings because they like to put the manager in a pickle in front of the client. The proper response from the engineer in these cases is to get the request in writing from the low level manager that is asking for it...you would be surprised how quickly they back off when they are forced to authorize a request in writing to "turn off the firewall".