Slashdot Mirror
Spyware Prank Exposes Hospital Medical Records
cheerytt writes "Let this be a lesson to all the broken-hearted geeks out there. A 38-year-old Ohio man is set to plead guilty to federal charges after spyware he meant to install on the computer of a woman he'd had a relationship with ended up infecting computers at a children's hospital. Spyware was sent to the woman's Yahoo e-mail address in the hope it would be used to monitor what his former girlfriend was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery department. The spyware sent more than 1,000 screen captures via e-mail, including details of medical procedures, diagnostic notes and other confidential information relating to 62 patients. The man will pay $33,000 to the hospital for damages and faces a maximum sentence of five years in prison."
He should have just planted a GPS in her handbag, then he'd have the full protection of Massachusetts law.
So what's happening to the woman who stupidly ran an exe she recieved in an email?
I wonder how it came to be that one would be permitted to check web-based email in the hospital's pediatric cardiac surgery department?
This incident could very well be the least of their problems for all they know.
The fact that it was able to install and send screenshots willy-nilly to Graham and who-knows-where-else is a HIPAA nightmare.
Just for grins I went looking through their employment opportunities to see if any IT jobs opened up recently and stumbled upon this:
(Not relevant to this thread but interesting, nonetheless
Nicotine-free hiring policy
Because itâ(TM)s important for healthcare providers to promote a healthy environment and lifestyle, Akron Childrenâ(TM)s Hospital has a nicotine-free hiring policy.
Newly hired employees are tested for nicotine as part of a pre-employment panel of medical tests.
Akron Childrenâ(TM)s will not hire applicants who test positive for nicotine use.
If you test positive for nicotine, the offer of employment made to you will be rescinded.
If after 90 days you successfully quit using nicotine, you may reapply for employment.
Uhh, we're not all psycho-privacy-invaders with no ability to let go and move on, you insensitive clod.
b) The woman for opening it and infecting the computer?
c) Yahoo for not blocking it?
d) The hospital for not only allowing internet access from a computer with personally identifiable information, but for also allowing the spyware to get installed.
e) Some combination of the above?
Your basement doesn't have an email account, and doesn't leave you when you treat it badly;-)
These posts express my own personal views, not those of my employer
How did the .exe get through hmmm? Secondly, the machines should be locked down just a tad tighter one would think.
Lots of blame to go round on this one.
How did they get to that number? Removing spyware isn't that expensive. For that money you could even replace a bunch of machines and trash the old ones.
...win stupid prizes.
The article's title is "Spyware Prank Exposes Hospital Records".
The actions described are not a prank. They are serious, and illegal by many standards. If the accusations are true, the fellow deserves everything thrown at him. The article's title should be changed to reflect the severity. Installing spyware to keep tabs on your ex-GF is not a prank. It's stalking.
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
In Belgium, many of the hospitals have most of their computers running Linux...
That's quite a lot of money and jail time. Good thing he didn't download a song, then he'd REALLY be in trouble.
Almost a good analogy, except that mail bombs are not sent as frequently as malicious emails. If a significant portion of packages contained explosives, then yes, we probably would hold recipients accountable for not taking appropriate precautions when opening their mail.
Yeah its E) as all but C) because yahoo doesn't promise 100% accuracy.
Anything can be found funny, from a certain point of view.
What could be worse than a bad breakup?
does anyone else find it odd that the real damage was done to the patients and yet the hospital is being compensated for damages and not the patients? wouldn't the hospital also be liable for the damages considering that theri IT department failed to put up reasonable protection?
Sigs are too short to say anything truly profound so read the above post instead.
No.
If you mailed me a package with a cover letter saying "attach the fuse so and so, and you can see FUNNY KITTENS", and I did, THAT would be just as much my fault.
And since she ran the attachment, she's at fault too. In theory, his email account could have been taken over by bad bad men, who spammed evil viruseses to all his contacts. In that case, it would have been purely her fault (not his).
Indeed, it gives one great pause since that computer *should* have been running anti-virus software to check each download and executable as it was opened, and, presumably, would have caught this installation. Through professional contacts, I'm passingly familiar with the IT environment in a Big University Hospital and the hoops that my colleagues have to jump through to put a PC on the hospital network are near onerous. Those machines are sterile, or as close to sterile as humanly possible.
Don't be a shithead. E-Mail is not a replacement for a file system. Nor should hospitals be using systems that are even remotely succeptible to malware. Pretending otherwise or, worse, blaming the user for defective products is an M$ attitude. There are two underlying problems hidden:
1) How the hell was it possible for a hospital unit to have Windows on any of their computers in the first place? HIPAA compliance has been mandatory for many years now and there has been more than enough time to phase out Windows. Did you read the dozen EULAs for the Windows box and all its software and server hooks? For all service packs and CALs? Thought not. Neither did the hospital management. The woman is not at fault, the hospital management who signed of on the purchase or deployment of the Windows machines is the sole group to blame (excepting the sender of course).
2) Any self-respecting milter can strip ALL attachments automatically and delete them. MIMEDefang is a good example, but one of many. The stripping of attachments can even include a non-looping auto-reply to the sender including instructions on the correct way to transfer files.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Correct me if i am wrong, but medical records like this should not even be on the same network that connects to the outside. Corporations everywhere have dedicated intranets for such private matters along with a public internet that is 100% unconnected to the internal system. Poor poor poor structure from top to bottom.
Since when does being a Socialist mean 'someone who has a different opinion than me'?
So if I was to mail you a package with three sticks of dynamite, a blasting cap, and had it rigged to blow up when you opened it... it'd be your fault for getting blown up?
Yes but that is something that is lethal... This while dangerous hasnt directly killed anyone involved. It'd be more like sending someone a bag of dog shit and stinking up their house when they open it. It can eventually go away but you'll always remember what happened.
09F911029D74E35BD84156C5635688C0
+2 Troll is Slashdot's way of saying groupthink is confused
It's more like sending someone a bag of dog shit, and that someone is an idiot, who eats the dog shit. Then blames you.
# cat
Damn, my RAM is full of llamas.
....I would judge b) thru e) as incompetence, and a) as malice of forethought.
The woman is a careless victim, the patients are innocent victims, the hospital is a victim of it's own incompetence, the guy is a creepy bunny-boiler who got more than he bargained for when he deliberately hacked her computer.
If I were Judge Judy, after lecturing all three on their different styles of stupidity I would then award as follows...;
The hospital would get nothing in the way of compenstation and would be forced to come back in a month with a happy court appointed ipsec auditor.
The woman would at worst get a written warning from the hospital.
$30K, Three months, plus a GPS braclet for a year, plus costs would seriously fuck with the guys personal life, which seems fair punishment to me in an eye for an eye kind of way.
It's impractical to involve individual patients so the $30K would compensate the "patients" by seriously upgrading the box of broken plastic and tattered books that childrens wards euphemistically call their "toy box".
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Why don't they fine the guy $100 for trying to spy on his girlfriend, and why don't they fine the woman $50,000 in damages and fire ther for violating hospital security procedures (at least two of them: viewing private Email on work computers, clicking on executable attachments)?
Why don't they fine the hospital $1Million for not properly protecting the privacy of their patients?
Did the guy intend to spy on the medical procedures of those patients? No!
Suppose you're walking around as a tourist somewhere happily shooting pictures of the landmarks with your expensive new 24 megapixel camera with 400mm zoom lens. So you shoot a picture which say captures some trade secret. Now do you get thrown in jail for industrial espionage?
It is completely different if you specifically buy that camera and lens with the intent to take those industrially sensitive pictures, and especially position yourself in a way that you can photograph the competitions board room.
Seems like everyone is discussing the more technical details of this incident. I, for one, am much more "interested" in the moralistic side. I find it lowlife that this scumbag could not be a man enough to realize the woman wanted to fuck someone else, and was so desperate as to reduce himself to a stalker, and not even a stalker that you can actually identify as a stalker, but a stalker that is himself "stealthy". After all, planting spyware, provided you don't get caught, does not get more anonymous than that. Wussy. Then again, our "human nature" takes the best of us every single time. Practically, the five disturbing feelings (after Buddhas terminology) - jealosy, anger, pride, ignorance and attachmen/desire - rule our societies.
"Are there any proxies who can filter _all_ sort of packing/zipping/password protected executable files with a 100% hit rate? I doubt it."
What????
Don't you know about limited user rights? That prevents ANY installation of ANY program.
If someone accidentally kills someone else while driving a car, he or she will get less time for manslaughter than this man is supposedly getting for sending an email to a PRIVATE address.
Is this story a hoax? There is only one other report, and that report is identical: Misdirected Spyware Infects Ohio Hospital. Both apparently came from the IDG News Service. This is the last sentence of both stories: "A spokeswoman with the Akron Children's Hospital was unaware of the case and unable to comment." She was unaware of a case that is 18 months old?
b) The woman for opening it and infecting the computer?
Yes, for abject stupidity.
That depends on how well the executable was disguised.
It depends on whether it launched when she opened the e-mail. It depends on the content and header of the e-mail itself.
It depends on the security of her home computer. Her own e-mail program or browser. The protection provided by her ISP.
Think it through.
Imagine yourself as the specific target of a malicious attachment. Crafted by someone who knew you well. Who "thinks geek."
I received an e-mail once from a respected open source project that linked directly to the Windows executable. Something I'd never seen from Microsoft.
Under what circumstances would anyone consider spyware a prank ?
What a depressingly stupid machine.
Build-in a kill switch for when your spyware hits the wrong machines.
Well, if I'd get mail from random strangers every day and a good portion of those contain mail bombs, then yes, I'd probably only have to blame myself if it goes off in my face.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
We should not allow questions of security or negligence to divert from the fact that the root cause here was criminal activity, stalking, and it is the criminal who should be caught and punished. Otherwise we ultimately end up in the position of saying "well, the mugger was at fault, but it's also the fault of the victim for being 80 years old." This guy is, put simply, ethically challenged bottom feeding scum. Make him do community service emptying bedpans in the hospital for six months. But don't give him the excuse "they let me do it, it's their fault".
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
then yes, we probably would hold recipients accountable for not taking appropriate precautions when opening their mail.
They might get in trouble with their work if their work has trained their employees to do this (we don't know if that's the case). But it would never be a criminal offence - and we would still be charge the guy responsible.
The guy's an idiot. Maybe he doesn't deserve years in prison, but he's stupid to even try such a thing. I don't understand why this is a "lesson" to geeks, as TFS suggests - as a geek, the idea of using technology to invade privacy is the sort of thing I would oppose on principle.
I wouldn't describe that as a "prank." More like an "attempt at stalking." Rearranging her icons would be a prank. Screen-shotting her emails and bank account info is malicious.
I had not read that. In that PDF file, Robert W. Kern, U.S. Attorney, (216) 622-3836, seems to be going to a lot of trouble to downplay the case. It reads VERY differently than the story to which Slashdot linked. Maybe he wants to convict without having people understanding and protesting the conviction.
Quote: "Graham, who is set to formally enter a guilty plea on Sept. 30 to one count of illegally intercepting electronic communications, will pay $33,000 to the hospital for damages caused by the incident. He faces a maximum sentence of five years in prison. "
The hospital didn't use even the most minimum methods to prevent infection, so he must pay $33,000 for problems he certainly did not intend to cause?
Er, you're begging to 1. be downmodded 2. harm your karma 3. for no good reason because when it's downmodded, nobody will see it anyway. Posts like that are what User Journals are for. Your journal is never offtopic and can't be modded down no matter if it's a blatant troll or flamebait.
And contrary to popular belief, journals DO get read.
Free Martian Whores!
Doctors demand (and get) access to the malware laden web from hospital PCs? No problem.
The hospital PC's should have been running linux, with the hospital records and all outside web access restricted to separated virtual machines (both running Windows if so required by the hospital record software). Or running as thin clients, using X or remote desktop access to VM's running in the hospital's server closet. Outside web access VMs get infected? Re-image 'em. Maybe nightly for good measure. No shared data with the HIPPI record access VMs anyway. The malware on the VM can only scrape its virtual display, and see nothing in the other VMs.
Or just junk the PC's as they exceed useful life, and replace them with more power efficient thin client boxen with no HD's to infect/clean.
I've been given 'orders' like that also, but have managed to persuade the person.
Are you sure that your manner, tone, and ability to explain complex technical problems isn't the issue?
Your situation sounds rather unbelievable. But I've only worked for one hospital, so my experience is fairly limited. Was this before HIPAA?
Howcome this girl was checking her personal email on a work computer? Most jobsites I've visited have a policy to NOT allow this to happen.
Understanding the scope of the problem is the first step on the path to true panic.
Maybe they should tack required tighter-than-a-nun's-asshole network security in anything dealing with medical patients onto that massive Health Reform bill they're trying to beat into our skulls.
If you aren't suspicious of your government's actions, you aren't doing your job as a responsible citizen.
How many of you read and posted replies during working hours? How many of you consider slashdot.org related to your job enough that you justify reading and posting? How many of you are going through a separation right now? How many of you read your personal email at work?? Yeah, I get joke emails from people all the time and guess what? I see all the corp. domains in the cc: list. You think, patient data is a problem? So what if Mr Jones is getting a penis extension. Oh Yeah, When you go into work Monday and start to surf the web... (To do whatever. News. Sports, Personals, and/or Porn). What are you going to do if it is all blocked?
Ok, I can see how you would consider this off topic. And I have not ever seen the journals until you brought it up. So I will explain. She was using the computer to do something that didn't directly relate to her job function. I assume that the hospital didn't give employees outside web mail addresses. People pass around emails all the time, "Check out this cool screensaver." It is done everywhere and IT is what keeps me busy. Now, this doesn't make her at fault on her own. Who knows she probably could not read her email at home for the same reason. But the major post above argue points about reading running programs and such and having administrator rights.. By the way you can run a program from a website without admin rights and it runs right out of the temp folder. Then it is a matter of time before the program infects other users. But you can't get some stupid web portal or remote SSL desktop connection to work correctly without it. And there are a lot of database client programs running around that require administrator rights, because they must have read/write access to the systemroot or systemprograms folders. Where does MYSQL and MSSQL install the database by default? C:\Programs files\.... it is hard to get IE settings to work for every user without manually doing it as that user. Quote from the article "That points to a security failing at that hospital, but then they aren't that different from 99 percent of companies out there," Sorry: very frustrating. As an admin you are expected to provide security. But if you block to much or won't give out passwords you are an over protective administrator. You run a risk of being locked up, fired, sued, etc.. I could bitch for hours and hours. I could say something supportive of MS VISTA but then I know I would be a troll. Which would be funny as I refused to use it, and refuse to use IE unless I have too. Personally $33,000.00 is light, the medical professional could loose her job and the hospital is at risk. "3 Wrongs"
Okay. The hospital CEO was lying in a roadway, taking a nap. Someone in a car ran over him. Should the driver go to jail?