Slashdot Mirror

← Back to Stories (view on slashdot.org)

Contractor Folds After Causing Breaches

Posted by kdawson on from the left-holding-many-bags dept.

talkinsecurity writes "A single contractor, privately-held Verus Inc., has been traced as the source of no less than five hospital security breaches in the past two months — and those breaches have put the company out of business in a matter of weeks. Verus, which managed the websites of as many as 60 of the country's largest hospitals, has folded its entire business within the past few weeks, without a word to anyone. Apparently, a single IT error led to the exposure of at least five hospitals' patient data — at least 100,000 individuals' personal information — and caused Verus' primary investor to pull the plug. The hospitals, which initially reported their breaches separately, were left with no one to sue."

15 of 274 comments (clear)

  1. left with no one to sue by YrWrstNtmr · · Score: 5, Insightful

    The hospitals, which initially reported their breaches separately, were left with no one to sue."

    I'd start with the ex-CEO. The 'company' did not make decisions, people did. They should be held accountable.

  2. Can't pass the buck by nicolaiplum · · Score: 5, Insightful

    You can outsource work but you can't outsource responsibility.
    And if you think the supplier will always be around to sue later, and suing them is your only plan, you're a fool.

    --
    "For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"
  3. Capitalism Rules! by FatSean · · Score: 3, Insightful

    Lots of people on slashdot extoll the virtues of un-fettered capitalism. "No need for government regulation, sue those who breach their contract!". Unfortunately, when the company folds protecting the stakeholders there is nobody left to sue! Oooops! There goes that darn accountability!

    --
    Blar.
    1. Re:Capitalism Rules! by CmdrGravy · · Score: 3, Insightful

      Right, so then no one forms a company to do anything at all, no capital can be raised and nothing gets done.

    2. Re:Capitalism Rules! by thc69 · · Score: 4, Insightful

      Unfortunately, when the company folds protecting the stakeholders there is nobody left to sue! Oooops! There goes that darn accountability!
      Eh? The company was destroyed. If you think the company should be punished, is there any better punishment? Isn't this a good thing? It means that the company is not going to do that again. Maybe it would satisfy people if the guy killed himself?

      Can he magically make the security breaches un-happen?

      At most, if the company stayed around, it could be sued for the costs involved in the cleanup -- but the only winners there would be the lawyers.
      --
      Procrastination -- because good things come to those who wait.
    3. Re:Capitalism Rules! by Opportunist · · Score: 4, Insightful

      Like you could sue a corporation when it still exists.

      Take Sony and the distribution of malware with its CDs. A person (read: human being) would be doing time for it. Read the law. Creation and distribution of malware on a commercial premise. Fits like a glove in this case. Punishable, depending on your country, with up to 10 years in jail. Especially when you can credibly claim that the person in question actually did pursue commercial interests (which is trivial in this case).

      But you can't do that to an international corporation! First of all, how do you imprison Sony? And think of all the jobs! And think of the tax (yeah, right, like I didn't pay more tax than Sony, in percent of my income...). And think of the political...

      Bullcrap. In a nutshell, corporations are above the law. They can break them as they want and if anything, they get a waggle of a finger and a puppy eyed "please, please don't do it again, mmmkay?"

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:Capitalism Rules! by MightyMartian · · Score: 3, Insightful

      Get rid of the notion of limited liability for corporate officers. Simply alter corporate law so that corporate officers can be held directly accountable, so that when Mega-Chemical Corporation spills toxins into public drinking water, not only is the corporation taken to the cleaners, but the officers of the company are also taken to the cleaners. Thus, even if Mega-Chemical Corporation folds, we can still get our pound of flesh out of the officers.

      I'd wager it would be a boon for corporate governance if these turkeys knew that they would feel the weight of full liability.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    5. Re:Capitalism Rules! by RexRhino · · Score: 3, Insightful

      Yes, but nothing's stopping these people from forming a new company and doing the same thing again.


      Of course there is... the fact that they lost their shirts and destroyed their reputations pretty much means they are never going to start another company providing the same services ever again!
  4. Re:And that's the problem with corporations by grogdamighty · · Score: 4, Insightful

    Ah, so the board of directors should be sued for all of their personal assets in order to pay for Joe Coder's mistake in leaving a backdoor opens. How many people do you think would start up businesses if they knew mistakes made by any employee could bankrupt them?

    --
    My other sig is funny.
  5. Re:Can someone explain by Dancindan84 · · Score: 3, Insightful

    can someone explain a situation where a computer would need to have its firewall dropped totally merely to transfer data from one system to another? A) Laziness (didn't want to set up a VPN or just open the necessary ports)
    B) PEBKAC (didn't know how to do the above, or at least do it properly)
    C) ID Ten T (knew how to do it, but didn't think it was a "big deal")
    D) Some combination of A, B and C
    --
    "Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
  6. Knee jerks the wrong way by bhmit1 · · Score: 3, Insightful

    Of course the knee jerk reaction is to make corporations more accountable, raise the risks for the owners, etc. As others have pointed out, no one would want to run a corporation where they are liable not just for doing their job, but being sure that no mistakes were made by anyone else (like the IT worker turning off a firewall, or the janitor that doesn't put down a wet floor sign). Take the current executive pay and bump it up by a factor of 10. Honestly, all the barriers, rules, legal risk, etc are part of the reason big companies have gotten so big.

    Also, lets not forget that if the executives really did something wrong, closing the business isn't enough. There's still a legal record of who owned the business when the breach occurred. What the hospitals are upset about is that the investors stopped putting money into the company which they could try to get their hands on. The investors already lost because the company folded, they never saw a return on their money, and probably lost their principle, too. As did the shareholders (stock=0), employees (no unemployed, a few of them rightfully so), executives (with a black mark on their record for something they didn't do), etc. Anyone who walks away from a folded company as a winner either did nothing wrong, scammed the system, or was really good and didn't get caught. None of which appears to have happened here.

    If you want to be anti-big business, you need to cut down the barriers so that "locally owned" has a fighting chance against the "benefits of scalability".

  7. No one to sue... by Glen+Ponda · · Score: 3, Insightful

    The hospitals, which initially reported their breaches separately, were left with no one to sue.

    A US-ian's worst nightmare, no one to sue. Do you really exist if you've no one to sue?

  8. I know Tom Lawry by PIPBoy3000 · · Score: 3, Insightful

    Tom Lawry, the CEO of Verus, is someone I've known for over ten years. He used to work for our healthcare organization and was one of the first people to "get it" over the Internet. He pushed for the formation of our web services team and sold the organization on making an Intranet when the whole thing was seen as a big fad.

    Afterwards he went on to form his own company, but still hung around as a consultant. He wasn't particularly technical, but was very good at navigating through the political issues that often come up with organizational change. For example, switching from paper to online job applications was fairly exciting, if only getting our various regions to agree on a single form.

    In later years, we had our disagreements with Tom. I wasn't too happy on how he assisted with our Internet site (his organization was starting to get into the web design business). As a person, he was always kind and thoughtful, despite his various business endeavors. He'd talk about his kid, how expensive going out to a movie in Seattle was getting, or tell stories about the Sisters from his time working at our organization (we're a Catholic healthcare organization).

    We were actually just starting to sign up to use his latest product (a clinic billing system). He was partnering with our medical record system vendor and it seemed reasonably good. Fortunately we didn't have any security breaches related to this incident, but it seems to have been blind luck to some degree.

    I think it's impossible for any CEO, even if they have a technical background, to be aware of every technical issue within their organization. In any complex endeavor, there's just too much going on. At this point, it seems like Tom has suffered quite a bit already. He's lost the business he's spent a decade growing. Prosecutors are looking into criminal charges. I don't know how he'll recover professionally. I'm sure he'll spend the rest of his life second-guessing what he should have done better. Hired different people? Brought in an outside auditor?

    For me, it was a reminder that everything can just disappear in a flash. Cherish what you've got.

  9. Re:And that's the problem with corporations by Phanatic1a · · Score: 4, Insightful

    Reality check : Most programmers are under commercial pressures from managers and customers.

    Reality check: Most engineers are under commercial pressures from managers and customers. That doesn't mean that if my boss wants me to use paper clips instead of my recommendation of high-tensile steel bolts, I'm on firm ethnical ground saying "Okay, paper clips it is." I have a professional, ethical responsibility to not build shoddy product. Don't programmers?

  10. Re:Things did get done before corporations by CodeBuster · · Score: 4, Insightful

    Limited liability is a double edged sword to be sure, but IMHO society is better of with the concept than without it. Consider bankruptcy for example, that is a form of "limited liability" as it applies to the individual. It ensures that your creditors cannot pursue you until to your dying day for your last penny due to circumstances beyond your control. There are abuses sometimes yes, and do not think that this investor is home free, if a lawyer can prove negligence in the breaches AND that the investor knew about the problems and did nothing then the investor can be held accountable for negligence, limited liability or not. The concept of limited liability exists to protect people from personal ruin from forces beyond their control, but it is not carte blanch to commit fraud, breach contract, or engage in negligent behavior.