lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Jul  4 23:39:41 2006
From: nobody_wuss at hotmail.com (nobody Wuss)
Subject: Undisclosed breach at major US facility

.
----- Original Message ----- 
From: "Stack Smasher" <stacksmasher@...il.com>
To: "Eric Ericson" <harlequin@...thlink.net>
Cc: <full-disclosure@...ts.grok.org.uk>
Sent: Tuesday, July 04, 2006 12:22 PM
Subject: Re: [Full-disclosure] Undisclosed breach at major US facility


> Hey Jackass, I know HIPAA has stiff penalties but the fact is people
> are to fucking lazy to prosecute cases that don't involve terrorism or
> effect shareholder value, and lets face it millions of peoples
> information has been exposed in the last 5 years and NO ONE has done
> shit about it. Look at Ernest and Young for example, those fuckups
> should all be rotting in jail right now for the amount of customer
> data that has been exposed on multiple occasions. I can count 10
> incidents that I KNOW of, imagine how many have been kept quiet.
> HIPAA,Sarbanes Oxley,GLBA, and California breach act. are paper tigers
> and everyone that has a clue knows it, they are a bulldog with rubber
> teeth to give the general public a warm feeling about doing business's
> with corporations that cant get their shit together. If you think I'm
> wrong then prove it!
>
>
>
> 4) HIPAA does have teeth in a situation like this if this data disclosure
>> was due to negligence or malice. If the data was knowingly disclosed the
>> penalty can be up to a US$250,000 fine and ten years in prison. That's 
>> for
>> an individual, not an organization (as are most of the other fines).
>>
>
>
>
>
> On 7/4/06, Eric Ericson <harlequin@...thlink.net> wrote:
>> (I'm not a lawyer, but I spent a couple of three years working IS in
>> Radiology at a hospital so take it for what it's worth.)
>>
>>
>> First a couple of things:
>>
>> 1) There is no HIPAA enforcement agency. All infractions are considered
>> either a civil rights violation (yeah, I'm serious) or a criminal 
>> violation.
>>
>> 2) HIPAA applies to any company who has "data custodian" rights for any
>> electronic Patient Health Information (ePHI). That means the hospital,
>> vendors, even regular corporate HR departments (because of any 
>> information
>> they might have about your prior medical conditions in conjunction with 
>> your
>> Medical Insurance).
>>
>> 3) When you said you verified the patient data as being valid, what 
>> exactly
>> do you hypothetically mean? The reason I ask is that the Patriot act has
>> some VERY nasty penalties regarding offensive actions taken towards
>> hospitals. If you're clean though, I wouldn't stress.
>>
>> 4) HIPAA does have teeth in a situation like this if this data disclosure
>> was due to negligence or malice. If the data was knowingly disclosed the
>> penalty can be up to a US$250,000 fine and ten years in prison. That's 
>> for
>> an individual, not an organization (as are most of the other fines).
>>
>> So, with that said. What I'd recommend is that you contact the Risk
>> Management department at the Hospitals. Explain the situation to them and
>> just make it clear you're trying to help. They're biggest concern is 
>> C-ing
>> the hospital's A, so I wouldn't stress to hard on them trying to place 
>> blame
>> on you. Plus this also puts them in a situation where they knowingly have 
>> to
>> disclose to their patients, and if the Risk Management group is mostly
>> lawyers, so they're less likely to try to bury this.
>>
>> Good Luck,
>>
>> -E2
>>
>> (Oh, if you're looking for more HIPAA info, check out UCSF Medical 
>> center's
>> page at http://www.ucsf.edu/hipaa)
>>
>> --
>> Eric Ericson
>> harlequin@...thlink.net
>>
>> When the Boogeyman goes to sleep every night, he checks his closet for 
>> Chuck
>> Norris
>>
>>
>> > From: r r <anothersecurityquestion@...il.com>
>> > Date: Mon, 3 Jul 2006 18:57:43 -0400
>> > To: <full-disclosure@...ts.grok.org.uk>
>> > Subject: [Full-disclosure] Undisclosed breach at major US facility
>> >
>> > Need some advise here.
>> > I would like to know what to do if I --hypothetically speaking-- I
>> > were to retrieve _complete_ databases of a MAJOR us hospital.  My
>> > hypothetical model is not brute force, but rather an 'accidental'
>> > discovery by trying to retrieve updates from a software vendor.
>> >
>> > Let's say this Big Name software vendor, who sells itself as being an
>> > authority on security, is so flipping retarded that they stick their
>> > customer data on a public CVS server.  Let's say I sync to this and
>> > dump a couple hundreds of meg of 'updates' only to later discover that
>> > those are NOT updates.
>> >
>> > Those are data files for other customers (which when prodding, reveals
>> > itself to be very real, verified data of at least one high-profile
>> > hospital)
>> >
>> > I read up as much as I could on HIPAA, but this is beyond the slip-ups
>> > to be covered by HIPAA.  Beyond medical records and privacy, this
>> > wreaks of woeful incompetence by who should be freaking security
>> > professionals!! (4 MAJOR organizations who have royally screwed up
>> > here).
>> >
>> > First thoughts are to call HIPAA (has to be federally reported for
>> > number of people and different states affected).
>> > And while HIPAA is supposed to protect the 'whistleblower', I don't
>> > put much confidence in it.  Maybe a webpost through anonomizer (and
>> > borrowed connections) like I do to check gmail.
>> >
>> > And if these companies are notified, what happens?  A slap on the 
>> > wrist?
>> > Wash it under the rug and label the person discovering it all to be a 
>> > Black
>> > Hat?
>> > Let's not forget about the diebold fiasco(s)---(fwiw I don't work for
>> > any of the involved companies--in my theoretical model I would solely
>> > be the customer of questionable software).
>> >
>> > One idea (by one of my imaginary friends who pretends to be a doctor
>> > and a former hospital board member) was to ABSOLUTELY NOT tell the
>> > hospital for various reasons.  That alter-ego of mine instead
>> > suggested I get an attorney that specialized in that.  That sounds
>> > expensive.  Now, I feel like a victim.
>> >
>> > If _I_ have been able to discover such a gaping hole (and I didn't
>> > even TRY to find it), then I am pretty sure that it already has been
>> > taken. In any case, it will be stolen in a matter of weeks.  Since
>> > that is inevitable, I should just remove all the data I obtained and
>> > forget about it.
>> >
>> > In the end, I feel bad for the hundreds of thousands of people who can
>> > be totally raped of their identities (or be scammed for extraneous
>> > chargesl, etc etc).
>> > But, why should I be the scapegoat for pointing out that the Emperor
>> > has no clothes?
>> >
>> > Any useable thoughts?
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> -- 
> "If you see me laughing, you better have backups"
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ