Contractor Folds After Causing Breaches

talkinsecurity writes "A single contractor, privately-held Verus Inc., has been traced as the source of no less than five hospital security breaches in the past two months — and those breaches have put the company out of business in a matter of weeks. Verus, which managed the websites of as many as 60 of the country's largest hospitals, has folded its entire business within the past few weeks, without a word to anyone. Apparently, a single IT error led to the exposure of at least five hospitals' patient data — at least 100,000 individuals' personal information — and caused Verus' primary investor to pull the plug. The hospitals, which initially reported their breaches separately, were left with no one to sue."

And that's the problem with corporations

[Overzeetop]

Nobody is held accountable for the actions of a corporation. The board of directors and all officers should be held personally liable.

(I happen to own a corporation, however as a professional engineer, I am also personally liable for everything which goes out the door.)

External security auditors were needed

[Dekortage]

Read the article. It was a single mistake -- leaving a firewall down after performing a transfer of data from one server to another. But, why would you need to take down a firewall to transfer data? Set up a VPN, or better yet, use hard drives and old-fashioned sneakernet to transfer the data.

What the vendor really needed was a security audit by an external security firm. I bet you will see more of that in its competitors (or ex-competitors).