Slashdot Mirror
Spyware Prank Exposes Hospital Medical Records
cheerytt writes "Let this be a lesson to all the broken-hearted geeks out there. A 38-year-old Ohio man is set to plead guilty to federal charges after spyware he meant to install on the computer of a woman he'd had a relationship with ended up infecting computers at a children's hospital. Spyware was sent to the woman's Yahoo e-mail address in the hope it would be used to monitor what his former girlfriend was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery department. The spyware sent more than 1,000 screen captures via e-mail, including details of medical procedures, diagnostic notes and other confidential information relating to 62 patients. The man will pay $33,000 to the hospital for damages and faces a maximum sentence of five years in prison."
He should have just planted a GPS in her handbag, then he'd have the full protection of Massachusetts law.
So what's happening to the woman who stupidly ran an exe she recieved in an email?
I wonder how it came to be that one would be permitted to check web-based email in the hospital's pediatric cardiac surgery department?
This incident could very well be the least of their problems for all they know.
The fact that it was able to install and send screenshots willy-nilly to Graham and who-knows-where-else is a HIPAA nightmare.
Just for grins I went looking through their employment opportunities to see if any IT jobs opened up recently and stumbled upon this:
(Not relevant to this thread but interesting, nonetheless
Nicotine-free hiring policy
Because itâ(TM)s important for healthcare providers to promote a healthy environment and lifestyle, Akron Childrenâ(TM)s Hospital has a nicotine-free hiring policy.
Newly hired employees are tested for nicotine as part of a pre-employment panel of medical tests.
Akron Childrenâ(TM)s will not hire applicants who test positive for nicotine use.
If you test positive for nicotine, the offer of employment made to you will be rescinded.
If after 90 days you successfully quit using nicotine, you may reapply for employment.
Why is this not HER problem? She opened the e-mail that installed the malware on a hospital computer. If I infected computers at work, it'd be on me, not whoever sent me the virus.
Uhh, we're not all psycho-privacy-invaders with no ability to let go and move on, you insensitive clod.
b) The woman for opening it and infecting the computer?
c) Yahoo for not blocking it?
d) The hospital for not only allowing internet access from a computer with personally identifiable information, but for also allowing the spyware to get installed.
e) Some combination of the above?
Your basement doesn't have an email account, and doesn't leave you when you treat it badly;-)
These posts express my own personal views, not those of my employer
How did the .exe get through hmmm? Secondly, the machines should be locked down just a tad tighter one would think.
Lots of blame to go round on this one.
How did they get to that number? Removing spyware isn't that expensive. For that money you could even replace a bunch of machines and trash the old ones.
...win stupid prizes.
Wait, why did the not have sufficient protection against this? Let this be a lesson to the hospital.
The article's title is "Spyware Prank Exposes Hospital Records".
The actions described are not a prank. They are serious, and illegal by many standards. If the accusations are true, the fellow deserves everything thrown at him. The article's title should be changed to reflect the severity. Installing spyware to keep tabs on your ex-GF is not a prank. It's stalking.
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
In Belgium, many of the hospitals have most of their computers running Linux...
Shouldn't be opening personal e-mail at work, on corporately owned computers.
this says enough about the state of health care in the U.S., if you haven't noticed.. most of the time, the staff is doing absolutely nothing while people are waiting for them to move their ass to grab some paperwork.
i welcome reform.
this opinion is owned entirely by me but should be your opinion too.
I have uttered this before and been made fun of for it... but non-the-less I'm gong to say it again. MS Windows does not work. Despite that it is consistently used all over the place MS has failed to produce a solution that isn't prone to constant failure and problems. Maintenance is costly and even when maintaining security tends to fail to protect the system.
That's quite a lot of money and jail time. Good thing he didn't download a song, then he'd REALLY be in trouble.
Yeah its E) as all but C) because yahoo doesn't promise 100% accuracy.
Anything can be found funny, from a certain point of view.
What could be worse than a bad breakup?
does anyone else find it odd that the real damage was done to the patients and yet the hospital is being compensated for damages and not the patients? wouldn't the hospital also be liable for the damages considering that theri IT department failed to put up reasonable protection?
Sigs are too short to say anything truly profound so read the above post instead.
Indeed, it gives one great pause since that computer *should* have been running anti-virus software to check each download and executable as it was opened, and, presumably, would have caught this installation. Through professional contacts, I'm passingly familiar with the IT environment in a Big University Hospital and the hoops that my colleagues have to jump through to put a PC on the hospital network are near onerous. Those machines are sterile, or as close to sterile as humanly possible.
Don't be a shithead. E-Mail is not a replacement for a file system. Nor should hospitals be using systems that are even remotely succeptible to malware. Pretending otherwise or, worse, blaming the user for defective products is an M$ attitude. There are two underlying problems hidden:
1) How the hell was it possible for a hospital unit to have Windows on any of their computers in the first place? HIPAA compliance has been mandatory for many years now and there has been more than enough time to phase out Windows. Did you read the dozen EULAs for the Windows box and all its software and server hooks? For all service packs and CALs? Thought not. Neither did the hospital management. The woman is not at fault, the hospital management who signed of on the purchase or deployment of the Windows machines is the sole group to blame (excepting the sender of course).
2) Any self-respecting milter can strip ALL attachments automatically and delete them. MIMEDefang is a good example, but one of many. The stripping of attachments can even include a non-looping auto-reply to the sender including instructions on the correct way to transfer files.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Correct me if i am wrong, but medical records like this should not even be on the same network that connects to the outside. Corporations everywhere have dedicated intranets for such private matters along with a public internet that is 100% unconnected to the internal system. Poor poor poor structure from top to bottom.
Since when does being a Socialist mean 'someone who has a different opinion than me'?
....I would judge b) thru e) as incompetence, and a) as malice of forethought.
The woman is a careless victim, the patients are innocent victims, the hospital is a victim of it's own incompetence, the guy is a creepy bunny-boiler who got more than he bargained for when he deliberately hacked her computer.
If I were Judge Judy, after lecturing all three on their different styles of stupidity I would then award as follows...;
The hospital would get nothing in the way of compenstation and would be forced to come back in a month with a happy court appointed ipsec auditor.
The woman would at worst get a written warning from the hospital.
$30K, Three months, plus a GPS braclet for a year, plus costs would seriously fuck with the guys personal life, which seems fair punishment to me in an eye for an eye kind of way.
It's impractical to involve individual patients so the $30K would compensate the "patients" by seriously upgrading the box of broken plastic and tattered books that childrens wards euphemistically call their "toy box".
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Why don't they fine the guy $100 for trying to spy on his girlfriend, and why don't they fine the woman $50,000 in damages and fire ther for violating hospital security procedures (at least two of them: viewing private Email on work computers, clicking on executable attachments)?
Why don't they fine the hospital $1Million for not properly protecting the privacy of their patients?
Did the guy intend to spy on the medical procedures of those patients? No!
Suppose you're walking around as a tourist somewhere happily shooting pictures of the landmarks with your expensive new 24 megapixel camera with 400mm zoom lens. So you shoot a picture which say captures some trade secret. Now do you get thrown in jail for industrial espionage?
It is completely different if you specifically buy that camera and lens with the intent to take those industrially sensitive pictures, and especially position yourself in a way that you can photograph the competitions board room.
We need to automatically post the top story of the day 4,5,6 years ago from now, you could use.
Take the most commented story on those 3 days in question, repost it.
Also why doesn't /. work on chrome, the +- thingy appear at the bottom of the story.
Exception Duck - may or may not contain chicken.
Seems like everyone is discussing the more technical details of this incident. I, for one, am much more "interested" in the moralistic side. I find it lowlife that this scumbag could not be a man enough to realize the woman wanted to fuck someone else, and was so desperate as to reduce himself to a stalker, and not even a stalker that you can actually identify as a stalker, but a stalker that is himself "stealthy". After all, planting spyware, provided you don't get caught, does not get more anonymous than that. Wussy. Then again, our "human nature" takes the best of us every single time. Practically, the five disturbing feelings (after Buddhas terminology) - jealosy, anger, pride, ignorance and attachmen/desire - rule our societies.
"Are there any proxies who can filter _all_ sort of packing/zipping/password protected executable files with a 100% hit rate? I doubt it."
What????
Don't you know about limited user rights? That prevents ANY installation of ANY program.
If someone accidentally kills someone else while driving a car, he or she will get less time for manslaughter than this man is supposedly getting for sending an email to a PRIVATE address.
Is this story a hoax? There is only one other report, and that report is identical: Misdirected Spyware Infects Ohio Hospital. Both apparently came from the IDG News Service. This is the last sentence of both stories: "A spokeswoman with the Akron Children's Hospital was unaware of the case and unable to comment." She was unaware of a case that is 18 months old?
b) The woman for opening it and infecting the computer?
Yes, for abject stupidity.
That depends on how well the executable was disguised.
It depends on whether it launched when she opened the e-mail. It depends on the content and header of the e-mail itself.
It depends on the security of her home computer. Her own e-mail program or browser. The protection provided by her ISP.
Think it through.
Imagine yourself as the specific target of a malicious attachment. Crafted by someone who knew you well. Who "thinks geek."
I received an e-mail once from a respected open source project that linked directly to the Windows executable. Something I'd never seen from Microsoft.
Under what circumstances would anyone consider spyware a prank ?
What a depressingly stupid machine.
Build-in a kill switch for when your spyware hits the wrong machines.
We should not allow questions of security or negligence to divert from the fact that the root cause here was criminal activity, stalking, and it is the criminal who should be caught and punished. Otherwise we ultimately end up in the position of saying "well, the mugger was at fault, but it's also the fault of the victim for being 80 years old." This guy is, put simply, ethically challenged bottom feeding scum. Make him do community service emptying bedpans in the hospital for six months. But don't give him the excuse "they let me do it, it's their fault".
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
Wait...What?!?
using Windows?!
I wouldn't describe that as a "prank." More like an "attempt at stalking." Rearranging her icons would be a prank. Screen-shotting her emails and bank account info is malicious.
The email came from a known source, not a random spam or phish. It was from a person she knew - not a hacker, just an asshole using pre-packaged spyware that any jerk can buy off the internet. He deserves at minimum a fine, and probably some jail time.
Back in the 90s I used to run an OS 9 Mac-only lab. Our campus security head claimed it was vulnerable to viruses, and I said it was not. He said "Well, I could make a macro virus, attach it to a spreadsheet and send it to you and infect your Mac." I said, "Yes you could, and I would open it, too - because it was from the head of campus security!"
So, technically he was right but in practice I was right - the Macs were only vulnerable to a small set of malware and we wouldn't open files sent from people we didn't know. If someone you know & trust is bent on screwing you over, is it really your fault?
I had not read that. In that PDF file, Robert W. Kern, U.S. Attorney, (216) 622-3836, seems to be going to a lot of trouble to downplay the case. It reads VERY differently than the story to which Slashdot linked. Maybe he wants to convict without having people understanding and protesting the conviction.
Quote: "Graham, who is set to formally enter a guilty plea on Sept. 30 to one count of illegally intercepting electronic communications, will pay $33,000 to the hospital for damages caused by the incident. He faces a maximum sentence of five years in prison. "
The hospital didn't use even the most minimum methods to prevent infection, so he must pay $33,000 for problems he certainly did not intend to cause?
Doctors demand (and get) access to the malware laden web from hospital PCs? No problem.
The hospital PC's should have been running linux, with the hospital records and all outside web access restricted to separated virtual machines (both running Windows if so required by the hospital record software). Or running as thin clients, using X or remote desktop access to VM's running in the hospital's server closet. Outside web access VMs get infected? Re-image 'em. Maybe nightly for good measure. No shared data with the HIPPI record access VMs anyway. The malware on the VM can only scrape its virtual display, and see nothing in the other VMs.
Or just junk the PC's as they exceed useful life, and replace them with more power efficient thin client boxen with no HD's to infect/clean.
I've been given 'orders' like that also, but have managed to persuade the person.
Are you sure that your manner, tone, and ability to explain complex technical problems isn't the issue?
Your situation sounds rather unbelievable. But I've only worked for one hospital, so my experience is fairly limited. Was this before HIPAA?
Howcome this girl was checking her personal email on a work computer? Most jobsites I've visited have a policy to NOT allow this to happen.
Understanding the scope of the problem is the first step on the path to true panic.
Maybe they should tack required tighter-than-a-nun's-asshole network security in anything dealing with medical patients onto that massive Health Reform bill they're trying to beat into our skulls.
If you aren't suspicious of your government's actions, you aren't doing your job as a responsible citizen.
How many of you read and posted replies during working hours? How many of you consider slashdot.org related to your job enough that you justify reading and posting? How many of you are going through a separation right now? How many of you read your personal email at work?? Yeah, I get joke emails from people all the time and guess what? I see all the corp. domains in the cc: list. You think, patient data is a problem? So what if Mr Jones is getting a penis extension. Oh Yeah, When you go into work Monday and start to surf the web... (To do whatever. News. Sports, Personals, and/or Porn). What are you going to do if it is all blocked?
Okay. The hospital CEO was lying in a roadway, taking a nap. Someone in a car ran over him. Should the driver go to jail?