Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spyware Prank Exposes Hospital Medical Records

Posted by kdawson on from the epic-keylogger-fail dept.

cheerytt writes "Let this be a lesson to all the broken-hearted geeks out there. A 38-year-old Ohio man is set to plead guilty to federal charges after spyware he meant to install on the computer of a woman he'd had a relationship with ended up infecting computers at a children's hospital. Spyware was sent to the woman's Yahoo e-mail address in the hope it would be used to monitor what his former girlfriend was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery department. The spyware sent more than 1,000 screen captures via e-mail, including details of medical procedures, diagnostic notes and other confidential information relating to 62 patients. The man will pay $33,000 to the hospital for damages and faces a maximum sentence of five years in prison."

34 of 319 comments (clear)

  1. Wrong type of tracking by jrumney · · Score: 4, Funny

    He should have just planted a GPS in her handbag, then he'd have the full protection of Massachusetts law.

    1. Re:Wrong type of tracking by nedlohs · · Score: 4, Insightful

      Really, you think he had a search warrant?

  2. The Woman by some_guy_88 · · Score: 5, Insightful

    So what's happening to the woman who stupidly ran an exe she recieved in an email?

    1. Re:The Woman by QuantumG · · Score: 4, Interesting

      In a hospital no less.

      What happened to the geek who setup the transparent web proxy that allowed that?

      --
      How we know is more important than what we know.
    2. Re:The Woman by QuantumG · · Score: 4, Insightful

      Most all of them can be configured to reject anything they can't verify as "safe". Whitelist, don't blacklist, it's the first rule of security.

      --
      How we know is more important than what we know.
    3. Re:The Woman by mcvos · · Score: 5, Insightful

      Whitelist, don't blacklist, it's the first rule of security.

      Except when you're mandated to provide general internet access.

      If for whatever silly reason you need to provide general, unprotected internet access, you do that with seperate machines, isolated from the hospital medical record stuff.

      Whichever way you spin this, it's a horrible, gaping hole in the security of the hospital's computer system. The people who set it up and authorised it need to be fired and replaced by people who know something about (the need for) security.

    4. Re:The Woman by NatasRevol · · Score: 3, Insightful

      Yeah, but it doesn't do a damn thing in this case, or most places at work, where users can access their personal mail accounts via webmail.

      --
      There are two types of people in the world: Those who crave closure
    5. Re:The Woman by guruevi · · Score: 4, Insightful

      You obviously don't work at a hospital. It would be very unpractical to provide 2 machines to every person, 1 for web access and 1 for hospital records. The issue is that this person ran spyware that she received. Virus scanners won't help, the only thing that could help is that she shouldn't have admin privileges (which is kinda impossible with some hospital software on Windows) or she shouldn't be running on the Windows platform (Mac or Linux can be more granular when running programs as an Administrator).

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    6. Re:The Woman by berzerke · · Score: 4, Interesting

      Also the admin needs to get fired too, he is not doing his job!

      So many attempts to blame the admin, without knowing the circumstances. In the real world, security costs money. Money is limited. Security "interferes" with work. Interfering with work too much won't be tolerated by the higher ups. I've seen it multiple times. If security interferes with some new wiz-bang software that management wants, then the security goes. An admin that refuses get fired. For those that don't work in IT, you'd be surprised how many security decisions are made by people not qualified to make such decisions.

      Let me give you two real-life examples. I worked as the IT head at a medical clinic. Some medical billing software was leased with my knowledge and it came with it's own AIX server. The root password was blank and it had to be connected to the rest of the LAN. I was not allowed to touch the machine by my boss's boss. Later on, she had the bright idea of allowing remote access. I objected in writing, backed by my boss. Objection overruled. Within a week, the server was rooted. It took the company who owned the server 3 months to figure out it wasn't a hardware issue, despite my warnings on the first day of trouble.

      Second, more recent example, from just two weeks ago. I was ordered to connect an XP SP2 machine (not under my control) directly to the Internet AND the internal LAN. I was not allowed to filter any traffic (I tried and was ordered to stop) or purchase/install any additional hardware (no approval), including wiring. It's a VOIP server and the company higher ups what to be able to have a company phone anywhere. A port scan shows Windows Firewall is disabled, and I have no idea if there is at least any AV software (not allowed to touch it). Remember, I'm under orders to give it unfettered Internet and LAN access, at the same time. Secure? No. But I'm under direct orders to do it this way. At this point, the best I can think to do is put my objections in writing so I have a CYA paper trail (already done).

  3. HIPAA - SHMIPAA by C18H27NO3+ · · Score: 5, Insightful

    I wonder how it came to be that one would be permitted to check web-based email in the hospital's pediatric cardiac surgery department?
    This incident could very well be the least of their problems for all they know.
    The fact that it was able to install and send screenshots willy-nilly to Graham and who-knows-where-else is a HIPAA nightmare.


    Just for grins I went looking through their employment opportunities to see if any IT jobs opened up recently and stumbled upon this:
    (Not relevant to this thread but interesting, nonetheless

    Nicotine-free hiring policy
    Because itâ(TM)s important for healthcare providers to promote a healthy environment and lifestyle, Akron Childrenâ(TM)s Hospital has a nicotine-free hiring policy.
    Newly hired employees are tested for nicotine as part of a pre-employment panel of medical tests.
    Akron Childrenâ(TM)s will not hire applicants who test positive for nicotine use.
    If you test positive for nicotine, the offer of employment made to you will be rescinded.
    If after 90 days you successfully quit using nicotine, you may reapply for employment.

    1. Re:HIPAA - SHMIPAA by pz · · Score: 3, Informative

      I wonder how it came to be that one would be permitted to check web-based email in the hospital's pediatric cardiac surgery department?

      This incident could very well be the least of their problems for all they know.

      The fact that it was able to install and send screenshots willy-nilly to Graham and who-knows-where-else is a HIPAA nightmare.

      Indeed, it gives one great pause since that computer *should* have been running anti-virus software to check each download and executable as it was opened, and, presumably, would have caught this installation. Through professional contacts, I'm passingly familiar with the IT environment in a Big University Hospital and the hoops that my colleagues have to jump through to put a PC on the hospital network are near onerous. Those machines are sterile, or as close to sterile as humanly possible.

      Given this transgression and their draconian nicotine policy (which surely must be illegal), the moral of the story is clear: do not, under any circumstances, seek treatment at Akron Children's Hospital.

      --

      Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
    2. Re:HIPAA - SHMIPAA by Mr.+Roadkill · · Score: 3, Interesting

      Newly hired employees are tested for nicotine as part of a pre-employment panel of medical tests.

      That'll be interesting in the future - discrimination on the grounds of disability or medical condition, perhaps?

      There's some evidence that nicotine delivered by patch can help with things like parkinsons, alzheimers, depressive conditions, ADD and a whole lot of other things. Various native peoples have ingested tobacco to treat constipation and wom infestations, and I see no reason why people using it exclusively as a herbal remedy for these or other conditions should be penalised. I'm a non-smoker and won't take it up - I think it's disgusting - but if nicotine patches were safe and effective and cheap when compared with other medication I'd use them and take my prospective employers to court if need be. I'd also be the guy passing around the poppseed bagels, fwiw...

    3. Re:HIPAA - SHMIPAA by neurogeneticist · · Score: 5, Informative

      I actually am a physician, and work at a hospital with electronic records. We do not have, nor have I ever worked at a hospital the does have, an independent set of computers with medical records, separate from ones to use for other purposes. The work-flow is just not feasible with such a system, which would require us to look things up on one computer while referencing and typing notes into another one, while dozens of other people walk around the unit trying to do the same thing.

      If you really want your mind blown, many electronic medical record systems run through internet browsers, and are not compatible with anything other than IE.

      Oh, and I can access it from home with an RSA key if Clean-client thinks my machine looks OK.

      Locking down sounds good to some of you, but it would break the workflow in a medical system that is already operating near the breaking point.

  4. Stereotype much? by CarpetShark · · Score: 4, Insightful

    Let this be a lesson to all the broken-hearted geeks out there.

    Uhh, we're not all psycho-privacy-invaders with no ability to let go and move on, you insensitive clod.

    1. Re:Stereotype much? by WarJolt · · Score: 4, Funny

      Hey!!! speak for yourself.

    2. Re:Stereotype much? by RuBLed · · Score: 3, Funny

      Let this be a lesson to all the broken-hearted geeks out there.

      Geeks create and/or build their own keyloggers from code so we would be sure that the chances it would be detected are low and that we are the only ones who would see it.

      Also there is no such thing as a broken-hearted geek. Natalie Portman is still alive.

  5. Who is really at fault? by 89cents · · Score: 5, Insightful
    a) The man for emailing the spyware?

    b) The woman for opening it and infecting the computer?

    c) Yahoo for not blocking it?

    d) The hospital for not only allowing internet access from a computer with personally identifiable information, but for also allowing the spyware to get installed.

    e) Some combination of the above?

    1. Re:Who is really at fault? by wordsnyc · · Score: 5, Insightful

      d) The hospital for not only allowing internet access from a computer with personally identifiable information, but for also allowing the spyware to get installed.

      Bingo. They failed to take steps a reasonably prudent person would have taken to protect patient confidentiality under Federal law. Spyware installation via email is not exactly news.

      --
      Sent from the iPad I found in your car.
    2. Re:Who is really at fault? by pz · · Score: 4, Insightful

      a) The man for emailing the spyware?

      Yes, for causing spyware to be installed. Electronic trespassing. Theft of HIPPA-regulated information. Stalking.

      b) The woman for opening it and infecting the computer?

      Yes, for abject stupidity.

      c) Yahoo for not blocking it?

      Probably not.

      d) The hospital for not only allowing internet access from a computer with personally identifiable information, but for also allowing the spyware to get installed.

      Yes, for IT incompetence. But they are also liable for some serious charges for violation of HIPPA regulations. It's entirely possible they will lose all Federal support. Breaching HIPPA is a big deal.

      --

      Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
    3. Re:Who is really at fault? by BenevolentP · · Score: 3, Insightful

      Im so sick of the "guilty of stupidity" argument so common here on slashdot.
      For most people, computers are still a small, convenient part of life, so they don't educate themselves about it's threats.

      But even if they are actually stupid, as in low IQ or poor planning abilities, that does NOT make them guilty in any sense if they're victims of some sad, controlling stalker.

      Reminds me a little of some people who say that people who get caught smoking pot 3 times deserve the 25 years in prison they get in some stone-age places i heard of because they were "so stupid".

      Stupid people suffer, too, and are mostly not at fault for their stupidity.

    4. Re:Who is really at fault? by malkavian · · Score: 5, Interesting

      Right. Ever worked in that environment? Nope? Thought not.. I have..
      You're faced with:

      Consultant (medical doctor) says "I need to access the net to be able to read research papers, proposals, and various ad hoc sites that contain research on the subjects that I deal with, along with external mail that I use because I move from hospital to hospital quite regularly.".
      IT says: "You can't access the net from that machine".
      Consultant goes to see hospital directors, stamps feet, and IT get overridden.

      Bear in mind there are several thousand PCs on a lot of hospital sites, with maybe 3 technicians to go fix and maybe one or 2 sysadmins. Hospital HR frequently sees IT as just waving a magic wand and things happen miraculously, so it's a "good way to save costs".
      If you tie machine names down that can't access the net, I can guarantee a consultant will find a way to get a machine in the area that does, even if it's moving someone else's there.
      As for breaking terms and conditions of use. Who do you think will win that pissing competition? Someone in the beleagured and under funded/under resourced IT department who is overlooked and overworked, or the consultant with the hand shakes and the ear of the board of directors?

      Coupled with the fact that not all antivirus and anti-malware will spot every variant. It'll get 90+ percent, but you always hear about the ones that get through.
      I'm surprised an executable got through the proxy filtering there, but hey.. Without knowing all the ins and outs of this in detail, I'm going to reserve judgement.

      The real world can be a messy morass of politics.. Working in a hospital, or academia, really has that in excess.. Try working in one if you think it's easy.. I'd be interested in hearing your opinion after doing it for a while..

    5. Re:Who is really at fault? by Dhalka226 · · Score: 5, Insightful

      d) The hospital for not only allowing internet access from a computer with personally identifiable information, but for also allowing the spyware to get installed. Bingo. They failed to take steps a reasonably prudent person would have taken to protect patient confidentiality under Federal law.

      Consultant goes to see hospital directors, stamps feet, and IT get overridden.

      You make a compelling argument for not firing the IT guy for what happens which, let's face it, is probably what will happen after they scapegoat him if anything bad happens to the hospital.

      However, "they" in the GP's post referred to "the hospital." In that sense it doesn't really matter if it's an incompetent IT staffer, a cranky doctor or poor executive management. Something that needed to be done under the law wasn't done, and the result was the leaking of confidential medical information. The hospital still deserves both blame and punishment for that.

    6. Re:Who is really at fault? by PinchDuck · · Score: 4, Informative

      I've worked in the IT department of hospitals in the UK, Australia, and the United States. The situation is the same in every one, you described it perfectly. Physicians are gods, and will be allowed to circumvent any IT policies they see fit, even if it exposes the entire hospital to a security risk.

    7. Re:Who is really at fault? by Opportunist · · Score: 3, Insightful

      You ARE aware that the victims in this case are the patients of the hospital, not the woman who foolishly installed the spyware, yes?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. Not a Prank by pz · · Score: 4, Informative

    The article's title is "Spyware Prank Exposes Hospital Records".

    The actions described are not a prank. They are serious, and illegal by many standards. If the accusations are true, the fellow deserves everything thrown at him. The article's title should be changed to reflect the severity. Installing spyware to keep tabs on your ex-GF is not a prank. It's stalking.

    --

    Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
    1. Re:Not a Prank by coaxial · · Score: 5, Insightful

      why is this that fellow that is responsible for getting the records - this was obviously not his goal and if he is charged for it then it is just laughable.

      What the hell is this supposed to mean? Since when has committing a crime unintentionally ever been a defense?

      "Oh officer! I wasn't INTENDING to kill all the cancer stricken orphans when I driving drunk, speeding, and firing my gun wildly! I just intending to disturb the peace!"
      "Oh! Well, that's a horse of a different color! I'll let you go with a warning then. Just try and keep it down next time. People are trying sleep around here."
      "Will do!"

      but why is the hospital getting the money - they are guilty of criminal negligence in handling patients' data so they should be paying not getting paid.

      1. It's criminal trespassing to access a computer without permission. Which he did by sending the spyware to someone with the intent to observe them.
      2. The hospital didn't hand out the data. It was stolen. It's still theft even if I leave the door wide open. It wasn't his. He has it, as a result of his actions.

      to me it looks like one more example of justice system malfunctioning. It is not a great malfunction but shows that punishment and the crime are matched not by the facts but by the random acts of gov. officials. Was it not something that american constitution tried to prevent?

      The opinion of someone who is woefully ignorant of the law, the intent of the law, common law, and basic morality, but yet somehow is an expert on constitutional law.

      It must be tough being so smart and surrounded by so many people that are blind to your brilliance.

      Go home and cry in your Ayn Rand novel.

    2. Re:Not a Prank by Dhalka226 · · Score: 3, Insightful

      Since when has committing a crime unintentionally ever been a defense?

      Sometimes, but more importantly it is pretty much always a mitigating factor. Your hypothetical person would be charged with reckless homicide, not capital murder (DUI = felony, murder = felony, having a gun during commission of a felony = felony). It sounds like he killed enough people in the anecdote for the differences to be semantic, but it's not nonexistent.

      Intent does matter. In this case, you can be pretty sure that's the reason the charge is only intercepting or conspiring to intercept electronic communications. They could easily have tacked on any number of unauthorized access/"hacking" charges.

      1. It's criminal trespassing to access a computer without permission. Which he did by sending the spyware to someone with the intent to observe them.

      Yeah, and? You said it yourself: criminal trespass. It's a government charge. The "victim" doesn't get the money. If they want to recover whatever it cost them to clean the systems and do whatever else it is they've done as a result of this, they can recover that via a civil action. And in any event, he wasn't charged with illegally accessing a computer system, he was charged with illegally intercepting electronic communication.

      To the degree that the government is handing over the money, the question remains. I don't know if it's an unrelated out-of-court agreement with the hospital to avoid litigation, however. The wording in the article wasn't clear.

      2. The hospital didn't hand out the data. It was stolen. It's still theft even if I leave the door wide open. It wasn't his. He has it, as a result of his actions.

      True. The question is what exactly the software did and how it works. A hospital employee shouldn't be able to install software on a department's computers at all. So what happened? Is it just really good spyware, able to avoid all the protections they had in place? Or is it that they didn't have any protections in place at all? Did the employee specifically download and run the attachment, regardless of what she thought it was? Or was it something that simply installed itself?

      The answers to those questions don't matter in terms of what the man did, but they do matter. There are extremely strict laws on the books about protecting patient data. If this is a symptom of their failure to do so, they could easily end up on the wrong side of legal action by either the government or the patients whose data was disseminated. I've no doubt that's what the OP was referring to when he said they should be paying, not getting paid. We don't have all the facts by any means, but it sounds like their security on systems capable of accessing patient records was spotty at best. That shouldn't be any more acceptable than what the man did.

      The opinion of someone who is woefully ignorant of the law, the intent of the law, common law, and basic morality, but yet somehow is an expert on constitutional law.

      Basic morality? Really? What he did was undoubtedly wrong, and he should be punished. But do you really think it's a felony? Should he really be locked up for five years because of it, in addition to a $33,000 fine? For the average American, $33,000 is essentially a year's worth of labor for free. That's a pretty hefty punishment all by itself. Five years? That's the sort of sentence we hand out for burglary or aggravated assault. This is not a man who is a danger to society. At this point we're left simply to hope that the judge is reasonable and there is sufficient leeway in the federal sentencing guidelines that this doesn't turn into a total miscarriage of justice. Surely justice counts among the intent of the law and basically morality, doesn't it?

      Maybe I'm one of these left-wing softy types, but what this guy needs more

  7. Couldn't happen here... by Nomaxxx · · Score: 5, Interesting

    In Belgium, many of the hospitals have most of their computers running Linux...

    1. Re:Couldn't happen here... by wvmarle · · Score: 4, Insightful

      I'm sure there exists spyware for Linux as well.

      It is a lot harder to get an executable sent over e-mail to run on the system, but it is still possible. Running Linux does NOT make one immune against this kinds of attacks.

      I'm quite sure Linux is easier to secure than Windows, the core error this hospital made was not as much running Windows, as not closing off all access to the Internet. It just doesn't go together with sensitive patient data. Those Linux computers your Belgium hospitals are working with also should be shielded thoroughly from the open Internet.

  8. odd by wizardforce · · Score: 4, Insightful

    does anyone else find it odd that the real damage was done to the patients and yet the hospital is being compensated for damages and not the patients? wouldn't the hospital also be liable for the damages considering that theri IT department failed to put up reasonable protection?

    --
    Sigs are too short to say anything truly profound so read the above post instead.
    1. Re:odd by malkavian · · Score: 3, Insightful

      The hospital will be compensated for material damages. They are bound by law to inform the patients that their data has been released. Those patients will take up law suits against the hospital, which will be investigated, and they will recieve large amounts of compensation.
      Odds on, if you look at the structure, you'll see the IT dept is over worked and under funded, so the real responsibility lies with the Directorate of the hospital, penny pinching on a department they don't see as shiny enough to be well funded.

  9. Re:Hospital management at fault, not employee by horatiocain · · Score: 5, Informative

    1) How the hell was it possible for a hospital unit to have Windows on any of their computers in the first place? HIPAA compliance has been mandatory for many years now and there has been more than enough time to phase out Windows. Did you read the dozen EULAs for the Windows box and all its software and server hooks? For all service packs and CALs? Thought not. Neither did the hospital management. The woman is not at fault, the hospital management who signed of on the purchase or deployment of the Windows machines is the sole group to blame (excepting the sender of course).

    I have an ugly truth for you - almost every hospital in the US uses Windows (95 through XP) for every single workstation. Every single Healthcare IT software vendor develops solely for windows (save a few web-based packages.) It's a very pure MS monoculture. I know, I know, it's sick. I agree completely with the above, but the emperor is threadless here.

  10. Re:$33.000 in damages? by malkavian · · Score: 4, Insightful

    Forensics, identifying exactly what the spyware was, conducting a thorough scan of all the network to see if it had spread, identifying what data was transferred, the infection vector, the administrative overheads of stopping the normal work to call an 'emergency situation' in which the sysadmins will concentrate on this exclusively, possibly not doing other maintenance work, or systems commissioning thus holding up medical projects (with the cost to them too).
    Administrative time throughout the hospital, as a fair part of the management chain will have this as a high profile to concentrate on, police liaison (and having time to have them on site to investigate in situ, and having technical staff support them), communications time to liaise with press, people to field the phone calls that come in, extra load on the patient support lines to cope with frantic patients who aren't in the best state of mind anyway after suffering cardiac problems, who are now worrying about what of their information is in the wild.. That's the tip of the iceberg by the way.
    Begin to see how that racks up to the big numbers? The machines aren't the expense, they're practically disposable. Unfortunately, data isn't tangible, so the non-IT staff don't see this shiny big item, and thus (out of sight, out of mind) don't consider it worth spending money over. All they see is that clicking a button makes data appear. Magic. Doesn't take effort, so why do they need an IT team to make it work? They decide they don't, cut IT funding (or never put it there), and eventually something like this happens because there isn't resource to make a secure network. And when it does, who gets the blame? Even from supposed 'geeks' who are supposed to understand what it's like being in an intensive overstressed IT role?

  11. Is this story a hoax? by Futurepower(R) · · Score: 4, Interesting

    "Are there any proxies who can filter _all_ sort of packing/zipping/password protected executable files with a 100% hit rate? I doubt it."

    What????

    Don't you know about limited user rights? That prevents ANY installation of ANY program.

    If someone accidentally kills someone else while driving a car, he or she will get less time for manslaughter than this man is supposedly getting for sending an email to a PRIVATE address.

    Is this story a hoax? There is only one other report, and that report is identical: Misdirected Spyware Infects Ohio Hospital. Both apparently came from the IDG News Service. This is the last sentence of both stories: "A spokeswoman with the Akron Children's Hospital was unaware of the case and unable to comment." She was unaware of a case that is 18 months old?