Slashdot Mirror

← Back to Stories (view on slashdot.org)

Contractor Folds After Causing Breaches

Posted by kdawson on from the left-holding-many-bags dept.

talkinsecurity writes "A single contractor, privately-held Verus Inc., has been traced as the source of no less than five hospital security breaches in the past two months — and those breaches have put the company out of business in a matter of weeks. Verus, which managed the websites of as many as 60 of the country's largest hospitals, has folded its entire business within the past few weeks, without a word to anyone. Apparently, a single IT error led to the exposure of at least five hospitals' patient data — at least 100,000 individuals' personal information — and caused Verus' primary investor to pull the plug. The hospitals, which initially reported their breaches separately, were left with no one to sue."

30 of 274 comments (clear)

  1. And that's the problem with corporations by Overzeetop · · Score: 5, Interesting

    Nobody is held accountable for the actions of a corporation. The board of directors and all officers should be held personally liable.

    (I happen to own a corporation, however as a professional engineer, I am also personally liable for everything which goes out the door.)

    --
    Is it just my observation, or are there way too many stupid people in the world?
    1. Re:And that's the problem with corporations by grogdamighty · · Score: 4, Insightful

      Ah, so the board of directors should be sued for all of their personal assets in order to pay for Joe Coder's mistake in leaving a backdoor opens. How many people do you think would start up businesses if they knew mistakes made by any employee could bankrupt them?

      --
      My other sig is funny.
    2. Re:And that's the problem with corporations by deftcoder · · Score: 4, Informative

      A judge can reinstate a business for the duration of a trial though, even if it was dissolved (with no objections) through the normal channels.

      Just because your business was officially dissolved (through the Secretary of State's office) doesn't mean that you're off the hook for bad shit you pulled.

      If an employee or contractor was found to be negligent or acting outside of their role within the corporation, they can be found personally liable. That usually results in employee/contractor suing the business and vice versa.

      American business law is very interesting.

      --
      Peace sells, but who's buying?
    3. Re:And that's the problem with corporations by Applekid · · Score: 4, Interesting

      I think you missed the point. If Engineers are legally liable for their work that can put people at risk, perhaps Programmers should be legally liable for their work that can put people at risk. Maybe instead of figuring out how to line their pockets with money with their "certifications," Novell, Microsoft, Cisco, et al. could pool resources and lobby for a legally-weighty certification for Software Engineers much conventional Engineers already have. Perhaps an Engineer could enlighten me on the history of how those things evolved for them.

      You could have a Class-C license to code and that would mean you know how to develop without buffer-overrun vulnerabilities, SQL-injection vulnerabilities, things like that. A top Class-A license to architect secure designs and robust inter-system communications.

      CEOs and board members only know how to run a company: you know, management, budgets, allocations, etc. I'd be very surprised if Widgets, Inc. CEOs know the exact procedure and design decisions that lead to Widget Model 3928 being the way it is.

      Of course, the court system will help determine whether it was a renegade programmer or whether board-imposed policies and procedures lead to the hiring of an unlicensed one.

      --
      More Twoson than Cupertino
    4. Re:And that's the problem with corporations by Phanatic1a · · Score: 4, Insightful

      Reality check : Most programmers are under commercial pressures from managers and customers.

      Reality check: Most engineers are under commercial pressures from managers and customers. That doesn't mean that if my boss wants me to use paper clips instead of my recommendation of high-tensile steel bolts, I'm on firm ethnical ground saying "Okay, paper clips it is." I have a professional, ethical responsibility to not build shoddy product. Don't programmers?

  2. left with no one to sue by YrWrstNtmr · · Score: 5, Insightful

    The hospitals, which initially reported their breaches separately, were left with no one to sue."

    I'd start with the ex-CEO. The 'company' did not make decisions, people did. They should be held accountable.

  3. Can't pass the buck by nicolaiplum · · Score: 5, Insightful

    You can outsource work but you can't outsource responsibility.
    And if you think the supplier will always be around to sue later, and suing them is your only plan, you're a fool.

    --
    "For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"
  4. Capitalism Rules! by FatSean · · Score: 3, Insightful

    Lots of people on slashdot extoll the virtues of un-fettered capitalism. "No need for government regulation, sue those who breach their contract!". Unfortunately, when the company folds protecting the stakeholders there is nobody left to sue! Oooops! There goes that darn accountability!

    --
    Blar.
    1. Re:Capitalism Rules! by peragrin · · Score: 3, Informative

      But it's governement regulations that have made it that way. the BOD of corporations should be ultimately responsible for the actions of the entire company. Since Corporations are a government protected body by removing the regulations protecting them opens the BOD up to others.

      --
      i thought once I was found, but it was only a dream.
    2. Re:Capitalism Rules! by CmdrGravy · · Score: 3, Insightful

      Right, so then no one forms a company to do anything at all, no capital can be raised and nothing gets done.

    3. Re:Capitalism Rules! by thc69 · · Score: 4, Insightful

      Unfortunately, when the company folds protecting the stakeholders there is nobody left to sue! Oooops! There goes that darn accountability!
      Eh? The company was destroyed. If you think the company should be punished, is there any better punishment? Isn't this a good thing? It means that the company is not going to do that again. Maybe it would satisfy people if the guy killed himself?

      Can he magically make the security breaches un-happen?

      At most, if the company stayed around, it could be sued for the costs involved in the cleanup -- but the only winners there would be the lawyers.
      --
      Procrastination -- because good things come to those who wait.
    4. Re:Capitalism Rules! by nmx · · Score: 4, Informative

      Eh? The company was destroyed. If you think the company should be punished, is there any better punishment? Isn't this a good thing? It means that the company is not going to do that again.

      Yes, but nothing's stopping these people from forming a new company and doing the same thing again.

      --
      "Well kids, you tried your best, and you failed. The lesson is, never try."
    5. Re:Capitalism Rules! by Opportunist · · Score: 4, Insightful

      Like you could sue a corporation when it still exists.

      Take Sony and the distribution of malware with its CDs. A person (read: human being) would be doing time for it. Read the law. Creation and distribution of malware on a commercial premise. Fits like a glove in this case. Punishable, depending on your country, with up to 10 years in jail. Especially when you can credibly claim that the person in question actually did pursue commercial interests (which is trivial in this case).

      But you can't do that to an international corporation! First of all, how do you imprison Sony? And think of all the jobs! And think of the tax (yeah, right, like I didn't pay more tax than Sony, in percent of my income...). And think of the political...

      Bullcrap. In a nutshell, corporations are above the law. They can break them as they want and if anything, they get a waggle of a finger and a puppy eyed "please, please don't do it again, mmmkay?"

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:Capitalism Rules! by Draknor · · Score: 4, Interesting

      Yes, but nothing's stopping these people from forming a new company and doing the same thing again.

      1. Assuming the new company needs capital investment, they have to convince someone to invest. If investors don't do their homework, then they have only themselves to blame if the investment goes south (as presumably this one did).

      2. If you contract with that new company without doing a little bit of background research, and your data gets exposed next time -- well, I guess that means selecting a vendor wasn't important enough to take the time to do it right, correct?

      3. The IT mistake was not intentional / malicious, it was a mistake. While that should be a black mark on the reputation of former employees / owners, it shouldn't prevent them from ever working again; they just have to convince investors / clients that they have learned from that mistake and have policies / procedures in place to prevent it from happening again (assuming said investors / clients actually do their homework & check the vendor's reputation).

      I'm guess that means your corporate reputation goes out the window, for not doing sufficient research on vendors for critical services.

    7. Re:Capitalism Rules! by MightyMartian · · Score: 3, Insightful

      Get rid of the notion of limited liability for corporate officers. Simply alter corporate law so that corporate officers can be held directly accountable, so that when Mega-Chemical Corporation spills toxins into public drinking water, not only is the corporation taken to the cleaners, but the officers of the company are also taken to the cleaners. Thus, even if Mega-Chemical Corporation folds, we can still get our pound of flesh out of the officers.

      I'd wager it would be a boon for corporate governance if these turkeys knew that they would feel the weight of full liability.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    8. Re:Capitalism Rules! by RexRhino · · Score: 3, Insightful

      Yes, but nothing's stopping these people from forming a new company and doing the same thing again.


      Of course there is... the fact that they lost their shirts and destroyed their reputations pretty much means they are never going to start another company providing the same services ever again!
    9. Re:Capitalism Rules! by RexRhino · · Score: 3, Interesting

      Bullcrap. In a nutshell, corporations are above the law. However, the alternative to corporations: Government controlled monopolies, are also above the law (try suing the Social Security administration or IRS for compromising your data!!). And the police and justice system that is supposed to "regulate" the corporations are above the law (or do you expect the FBI to be abolished and the President to go to prison for those illegal wiretaps they were doing?!).

      All large social entities: governments, corporations, religions, are above the law, because the concepts of law and justice apply to individuals, not masses of people.
    10. Re:Capitalism Rules! by thomas.galvin · · Score: 3, Interesting

      Unfortunately, when the company folds protecting the stakeholders there is nobody left to sue! Oooops! There goes that darn accountability!


      Eh? The company was destroyed. If you think the company should be punished, is there any better punishment? Isn't this a good thing? It means that the company is not going to do that again. Maybe it would satisfy people if the guy killed himself?


      The problem with that is that a corporation is kind of an ethereal entity to begin with: it never really existed, except as an abstract concept, so "punishing" it is kind of meaningless.

      Here's an analogy. Steve is a plumber. You hire Steve to replace the pipes in your house. Instead, he screws up so badly that you can no longer live in your house. You go to sue him, but he says "sorry, I'm not Steve any more. You can call me Frank, and you can't sue me, 'cause I'm not Steve."

      That's basically what's happening here. The people responsible for this cannot be held accountable, because they no longer call themselves Careless, Inc.

      IANAL, YMMV, HAND, etc, ad infinitum.
      --
      Thomas Galvin
  5. Start looking at MedSeek by faloi · · Score: 3, Interesting

    I would think that if Verus is referring people to an alternate service, there would be some sort of contractual agreement between the two. The investors might have to assume some liability for preventing legal redress of problems.

    For that matter, I would the federal government would be all over it for violation of HIPA regulations.

    --
    "It is a miracle that curiosity survives formal education." -Albert Einstein
  6. External security auditors were needed by Dekortage · · Score: 5, Interesting

    Read the article. It was a single mistake -- leaving a firewall down after performing a transfer of data from one server to another. But, why would you need to take down a firewall to transfer data? Set up a VPN, or better yet, use hard drives and old-fashioned sneakernet to transfer the data.

    What the vendor really needed was a security audit by an external security firm. I bet you will see more of that in its competitors (or ex-competitors).

    --
    $nice = $webHosting + $domainNames + $sslCerts
  7. Re:HIPPA by Jhon · · Score: 4, Informative

    There are serious fines and even criminal penalties for letting confidential patient records out.
    Great summary of HIPAA here.

    Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year.
    Notice that "knowingly" statement?

    Sorry, but I think you are wrong on the "probably folded to keep from getting heavily penalized and/or to prevent its directors from being criminally prosecuted under HIPPA". FTA, it's more likely they folded from lack of funding -- as their primary investor pulled out (most likely due to not wanting to tarnish THEIR name...

  8. See how far you'll get litigiously when... by ahuimanu · · Score: 3, Interesting

    The company is in India, or China, or Indonesia or.... you get the point.

    Hold your information close to your chest - there's a reason you used to pay a guy, an in-house guy mind you, the BIG BUCK$ to keep your information straight.

    But noooooo...

    We gotta OUTSOURCE because it looks good on a quarteryly statement.

    Stew in it boyos, STEW IN IT!

    --
    shock the monkey
  9. Re:Can someone explain by Dancindan84 · · Score: 3, Insightful

    can someone explain a situation where a computer would need to have its firewall dropped totally merely to transfer data from one system to another? A) Laziness (didn't want to set up a VPN or just open the necessary ports)
    B) PEBKAC (didn't know how to do the above, or at least do it properly)
    C) ID Ten T (knew how to do it, but didn't think it was a "big deal")
    D) Some combination of A, B and C
    --
    "Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
  10. All right IT monkeys.. by __aagbwg300 · · Score: 3, Interesting
    From the FA:

    While reports of the breaches have been issued in dribs and drabs, all of the data losses can now be attributed to a single incident, in which Verus employees left a firewall down following the transfer of data from one server to another, according to David Levin, vice president of marketing at MedSeek. Can someone explain to me why you would need to open EVERY PORT on a computer to transfer data across two machines? Is there any possible reason why this would be considered? Seriously?
  11. Your reasoning is flawed by BlackCobra43 · · Score: 3, Informative

    The same standard IS applied. When an engineer is sued it is because his design was faulty, not because the building contractor used shitty concrete. If said contractor used shitty concrete, HE will be sued into oblivion.

    Likewise, if the policies enacted by a companydirect actions defraud the public out of millions of dollars, they will be held acountable (see : Enron). If Joe Sixpack in accounting trafficks data all on his own, why should the CEO be held accountable?

    --
    I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
    1. Re:Your reasoning is flawed by jc42 · · Score: 4, Interesting

      Actually, engineers routinely do get out of responsibility for disasters. Part of the reason is that they let their bosses and the prosecutors know about the "paper trail" that they have kept. They threaten to show in court that they knew about the problems, warned their superiors about the problems, and were ordered to ignore the problems. The prosecutors then carefully forget about them.

      The poster child for this, of course, is NASA's history after the Challenger disaster. The immediate desire was to blame the engineers. But the engineers were happy to cooperate with the investigations, because they had copious records showing that they knew about the potential problems, tried to delay the launch, and were overridden by management. Subsequent analyses (by engineers ;-) showed that what went wrong was a known possibility during cold-weather launches, and that a lot of the engineers had indeed tried to delay the launch.

      The real disappointment in this and similar disasters is that the managers who override (or ignore) the engineers are almost never held responsible. NASA did do a bit of management shuffling, true, but nobody takes this seriously. With most corporate disasters, even when the CEO or other officer "resigns", he typically walks off with huge amounts of money and no punishment at all. The exceptions are so rare (think Ken Lay) that corporate managers really don't consider it a serious possibility.

      In the case of software, it's routine for management to order the use of packages that the engineers know to be insecure and/or unsecurable. I've seen it over and over. The developers know that they just have to live with this, and make the best of a bad management decision. The only way to change this is to make the actual decision makers responsible for the consequences. Does anyone seriously think this is likely to ever happen?

      --
      Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  12. Knee jerks the wrong way by bhmit1 · · Score: 3, Insightful

    Of course the knee jerk reaction is to make corporations more accountable, raise the risks for the owners, etc. As others have pointed out, no one would want to run a corporation where they are liable not just for doing their job, but being sure that no mistakes were made by anyone else (like the IT worker turning off a firewall, or the janitor that doesn't put down a wet floor sign). Take the current executive pay and bump it up by a factor of 10. Honestly, all the barriers, rules, legal risk, etc are part of the reason big companies have gotten so big.

    Also, lets not forget that if the executives really did something wrong, closing the business isn't enough. There's still a legal record of who owned the business when the breach occurred. What the hospitals are upset about is that the investors stopped putting money into the company which they could try to get their hands on. The investors already lost because the company folded, they never saw a return on their money, and probably lost their principle, too. As did the shareholders (stock=0), employees (no unemployed, a few of them rightfully so), executives (with a black mark on their record for something they didn't do), etc. Anyone who walks away from a folded company as a winner either did nothing wrong, scammed the system, or was really good and didn't get caught. None of which appears to have happened here.

    If you want to be anti-big business, you need to cut down the barriers so that "locally owned" has a fighting chance against the "benefits of scalability".

  13. No one to sue... by Glen+Ponda · · Score: 3, Insightful

    The hospitals, which initially reported their breaches separately, were left with no one to sue.

    A US-ian's worst nightmare, no one to sue. Do you really exist if you've no one to sue?

  14. I know Tom Lawry by PIPBoy3000 · · Score: 3, Insightful

    Tom Lawry, the CEO of Verus, is someone I've known for over ten years. He used to work for our healthcare organization and was one of the first people to "get it" over the Internet. He pushed for the formation of our web services team and sold the organization on making an Intranet when the whole thing was seen as a big fad.

    Afterwards he went on to form his own company, but still hung around as a consultant. He wasn't particularly technical, but was very good at navigating through the political issues that often come up with organizational change. For example, switching from paper to online job applications was fairly exciting, if only getting our various regions to agree on a single form.

    In later years, we had our disagreements with Tom. I wasn't too happy on how he assisted with our Internet site (his organization was starting to get into the web design business). As a person, he was always kind and thoughtful, despite his various business endeavors. He'd talk about his kid, how expensive going out to a movie in Seattle was getting, or tell stories about the Sisters from his time working at our organization (we're a Catholic healthcare organization).

    We were actually just starting to sign up to use his latest product (a clinic billing system). He was partnering with our medical record system vendor and it seemed reasonably good. Fortunately we didn't have any security breaches related to this incident, but it seems to have been blind luck to some degree.

    I think it's impossible for any CEO, even if they have a technical background, to be aware of every technical issue within their organization. In any complex endeavor, there's just too much going on. At this point, it seems like Tom has suffered quite a bit already. He's lost the business he's spent a decade growing. Prosecutors are looking into criminal charges. I don't know how he'll recover professionally. I'm sure he'll spend the rest of his life second-guessing what he should have done better. Hired different people? Brought in an outside auditor?

    For me, it was a reminder that everything can just disappear in a flash. Cherish what you've got.

  15. Re:Things did get done before corporations by CodeBuster · · Score: 4, Insightful

    Limited liability is a double edged sword to be sure, but IMHO society is better of with the concept than without it. Consider bankruptcy for example, that is a form of "limited liability" as it applies to the individual. It ensures that your creditors cannot pursue you until to your dying day for your last penny due to circumstances beyond your control. There are abuses sometimes yes, and do not think that this investor is home free, if a lawyer can prove negligence in the breaches AND that the investor knew about the problems and did nothing then the investor can be held accountable for negligence, limited liability or not. The concept of limited liability exists to protect people from personal ruin from forces beyond their control, but it is not carte blanch to commit fraud, breach contract, or engage in negligent behavior.