Slashdot Mirror
Spyware Prank Exposes Hospital Medical Records
cheerytt writes "Let this be a lesson to all the broken-hearted geeks out there. A 38-year-old Ohio man is set to plead guilty to federal charges after spyware he meant to install on the computer of a woman he'd had a relationship with ended up infecting computers at a children's hospital. Spyware was sent to the woman's Yahoo e-mail address in the hope it would be used to monitor what his former girlfriend was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery department. The spyware sent more than 1,000 screen captures via e-mail, including details of medical procedures, diagnostic notes and other confidential information relating to 62 patients. The man will pay $33,000 to the hospital for damages and faces a maximum sentence of five years in prison."
So what's happening to the woman who stupidly ran an exe she recieved in an email?
I wonder how it came to be that one would be permitted to check web-based email in the hospital's pediatric cardiac surgery department?
This incident could very well be the least of their problems for all they know.
The fact that it was able to install and send screenshots willy-nilly to Graham and who-knows-where-else is a HIPAA nightmare.
Just for grins I went looking through their employment opportunities to see if any IT jobs opened up recently and stumbled upon this:
(Not relevant to this thread but interesting, nonetheless
Nicotine-free hiring policy
Because itâ(TM)s important for healthcare providers to promote a healthy environment and lifestyle, Akron Childrenâ(TM)s Hospital has a nicotine-free hiring policy.
Newly hired employees are tested for nicotine as part of a pre-employment panel of medical tests.
Akron Childrenâ(TM)s will not hire applicants who test positive for nicotine use.
If you test positive for nicotine, the offer of employment made to you will be rescinded.
If after 90 days you successfully quit using nicotine, you may reapply for employment.
Uhh, we're not all psycho-privacy-invaders with no ability to let go and move on, you insensitive clod.
b) The woman for opening it and infecting the computer?
c) Yahoo for not blocking it?
d) The hospital for not only allowing internet access from a computer with personally identifiable information, but for also allowing the spyware to get installed.
e) Some combination of the above?
Really, you think he had a search warrant?
does anyone else find it odd that the real damage was done to the patients and yet the hospital is being compensated for damages and not the patients? wouldn't the hospital also be liable for the damages considering that theri IT department failed to put up reasonable protection?
Sigs are too short to say anything truly profound so read the above post instead.
I'm sure there exists spyware for Linux as well.
It is a lot harder to get an executable sent over e-mail to run on the system, but it is still possible. Running Linux does NOT make one immune against this kinds of attacks.
I'm quite sure Linux is easier to secure than Windows, the core error this hospital made was not as much running Windows, as not closing off all access to the Internet. It just doesn't go together with sensitive patient data. Those Linux computers your Belgium hospitals are working with also should be shielded thoroughly from the open Internet.
why is this that fellow that is responsible for getting the records - this was obviously not his goal and if he is charged for it then it is just laughable.
What the hell is this supposed to mean? Since when has committing a crime unintentionally ever been a defense?
"Oh officer! I wasn't INTENDING to kill all the cancer stricken orphans when I driving drunk, speeding, and firing my gun wildly! I just intending to disturb the peace!"
"Oh! Well, that's a horse of a different color! I'll let you go with a warning then. Just try and keep it down next time. People are trying sleep around here."
"Will do!"
but why is the hospital getting the money - they are guilty of criminal negligence in handling patients' data so they should be paying not getting paid.
1. It's criminal trespassing to access a computer without permission. Which he did by sending the spyware to someone with the intent to observe them.
2. The hospital didn't hand out the data. It was stolen. It's still theft even if I leave the door wide open. It wasn't his. He has it, as a result of his actions.
to me it looks like one more example of justice system malfunctioning. It is not a great malfunction but shows that punishment and the crime are matched not by the facts but by the random acts of gov. officials. Was it not something that american constitution tried to prevent?
The opinion of someone who is woefully ignorant of the law, the intent of the law, common law, and basic morality, but yet somehow is an expert on constitutional law.
It must be tough being so smart and surrounded by so many people that are blind to your brilliance.
Go home and cry in your Ayn Rand novel.
Forensics, identifying exactly what the spyware was, conducting a thorough scan of all the network to see if it had spread, identifying what data was transferred, the infection vector, the administrative overheads of stopping the normal work to call an 'emergency situation' in which the sysadmins will concentrate on this exclusively, possibly not doing other maintenance work, or systems commissioning thus holding up medical projects (with the cost to them too).
Administrative time throughout the hospital, as a fair part of the management chain will have this as a high profile to concentrate on, police liaison (and having time to have them on site to investigate in situ, and having technical staff support them), communications time to liaise with press, people to field the phone calls that come in, extra load on the patient support lines to cope with frantic patients who aren't in the best state of mind anyway after suffering cardiac problems, who are now worrying about what of their information is in the wild.. That's the tip of the iceberg by the way.
Begin to see how that racks up to the big numbers? The machines aren't the expense, they're practically disposable. Unfortunately, data isn't tangible, so the non-IT staff don't see this shiny big item, and thus (out of sight, out of mind) don't consider it worth spending money over. All they see is that clicking a button makes data appear. Magic. Doesn't take effort, so why do they need an IT team to make it work? They decide they don't, cut IT funding (or never put it there), and eventually something like this happens because there isn't resource to make a secure network. And when it does, who gets the blame? Even from supposed 'geeks' who are supposed to understand what it's like being in an intensive overstressed IT role?
Sometimes, but more importantly it is pretty much always a mitigating factor. Your hypothetical person would be charged with reckless homicide, not capital murder (DUI = felony, murder = felony, having a gun during commission of a felony = felony). It sounds like he killed enough people in the anecdote for the differences to be semantic, but it's not nonexistent.
Intent does matter. In this case, you can be pretty sure that's the reason the charge is only intercepting or conspiring to intercept electronic communications. They could easily have tacked on any number of unauthorized access/"hacking" charges.
Yeah, and? You said it yourself: criminal trespass. It's a government charge. The "victim" doesn't get the money. If they want to recover whatever it cost them to clean the systems and do whatever else it is they've done as a result of this, they can recover that via a civil action. And in any event, he wasn't charged with illegally accessing a computer system, he was charged with illegally intercepting electronic communication.
To the degree that the government is handing over the money, the question remains. I don't know if it's an unrelated out-of-court agreement with the hospital to avoid litigation, however. The wording in the article wasn't clear.
True. The question is what exactly the software did and how it works. A hospital employee shouldn't be able to install software on a department's computers at all. So what happened? Is it just really good spyware, able to avoid all the protections they had in place? Or is it that they didn't have any protections in place at all? Did the employee specifically download and run the attachment, regardless of what she thought it was? Or was it something that simply installed itself?
The answers to those questions don't matter in terms of what the man did, but they do matter. There are extremely strict laws on the books about protecting patient data. If this is a symptom of their failure to do so, they could easily end up on the wrong side of legal action by either the government or the patients whose data was disseminated. I've no doubt that's what the OP was referring to when he said they should be paying, not getting paid. We don't have all the facts by any means, but it sounds like their security on systems capable of accessing patient records was spotty at best. That shouldn't be any more acceptable than what the man did.
Basic morality? Really? What he did was undoubtedly wrong, and he should be punished. But do you really think it's a felony? Should he really be locked up for five years because of it, in addition to a $33,000 fine? For the average American, $33,000 is essentially a year's worth of labor for free. That's a pretty hefty punishment all by itself. Five years? That's the sort of sentence we hand out for burglary or aggravated assault. This is not a man who is a danger to society. At this point we're left simply to hope that the judge is reasonable and there is sufficient leeway in the federal sentencing guidelines that this doesn't turn into a total miscarriage of justice. Surely justice counts among the intent of the law and basically morality, doesn't it?
Maybe I'm one of these left-wing softy types, but what this guy needs more