lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <C0D0484C.24FFB%harlequin@earthlink.net>
Date: Wed Jul  5 00:31:15 2006
From: harlequin at earthlink.net (Eric Ericson)
Subject: Undisclosed breach at major US facility

Sorry, 1 and 2 seem a bit contradictory. Let me clarify that a little (It's
the 4th, and I've had a few beers).

Enforcement on HIPAA can be both civil or criminal. The dividing line is
whether is negligent or intentional. Intentional acts get referred to DHS to
enforcement, Negligent acts are just considered Civil Rights violations.
There's no HIPAA police as it were, or HIPAA agency.

Cheers,

-E2
-- 
Eric Ericson
harlequin@...thlink.net

We make war that we may live in peace.
- Aristotle 


> From: Eric Ericson <harlequin@...thlink.net>
> Date: Tue, 04 Jul 2006 16:16:55 -0700
> To: Stack Smasher <stacksmasher@...il.com>
> Cc: <full-disclosure@...ts.grok.org.uk>
> Conversation: [Full-disclosure] Undisclosed breach at major US facility
> Subject: Re: [Full-disclosure] Undisclosed breach at major US facility
> 
> Granted, but there's 3 details here:
> 
> 1) DHS (Who handles enforcement) stated that they would only start
> prosecuting violators as of last Feb ('06)
> 
> 2) Prosecution and liability for this stuff is also handled by the folks
> who's data is disclosed. That means it's not a DA making the decision to
> prosecute, it's the person who's data is compromised. So if I my data is
> disclosed (and it might be) I pick up the phone and call my local civil
> rights attorney, and boom. You don't think some opportunistic tort lawyer
> will jump on that like they have Asbestos claims, Noprain, and any dozen
> other medical lawsuits?
> 
> 3) The hospital WILL take action if you talk to them, if not because of
> HIPAA penalties, but because how it effect their JCAHO certification (Joint
> Commission on Accreditation of Healthcare Organizations). Part of the
> inspection process is checking for HIPAA violations, and if you lose your
> JCAHO cert it means you CANNOT accept Medicare or receive federal funding.
> While that may not seem like much, but given that (as an example) Stanford
> Hospital (which is one of the 10 best in the nation) gets 50% of it's income
> via Medicare it'll put the fear of god in the administration (trust me on
> that one, personal experience).
> 
> Cheers,
> 
> -E2
> -- 
> Eric Ericson
> harlequin@...thlink.net
> 
> All glory to the hypnotoad!
> 
> 
>> From: Stack Smasher <stacksmasher@...il.com>
>> Date: Tue, 4 Jul 2006 18:22:18 -0400
>> To: Eric Ericson <harlequin@...thlink.net>
>> Cc: <full-disclosure@...ts.grok.org.uk>
>> Subject: Re: [Full-disclosure] Undisclosed breach at major US facility
>> 
>> Hey Jackass, I know HIPAA has stiff penalties but the fact is people
>> are to fucking lazy to prosecute cases that don't involve terrorism or
>> effect shareholder value, and lets face it millions of peoples
>> information has been exposed in the last 5 years and NO ONE has done
>> shit about it. Look at Ernest and Young for example, those fuckups
>> should all be rotting in jail right now for the amount of customer
>> data that has been exposed on multiple occasions. I can count 10
>> incidents that I KNOW of, imagine how many have been kept quiet.
>> HIPAA,Sarbanes Oxley,GLBA, and California breach act. are paper tigers
>> and everyone that has a clue knows it, they are a bulldog with rubber
>> teeth to give the general public a warm feeling about doing business's
>> with corporations that cant get their shit together. If you think I'm
>> wrong then prove it!
>> 
>> 
>> 
>> 4) HIPAA does have teeth in a situation like this if this data disclosure
>>> was due to negligence or malice. If the data was knowingly disclosed the
>>> penalty can be up to a US$250,000 fine and ten years in prison. That's for
>>> an individual, not an organization (as are most of the other fines).
>>> 
>> 
>> 
>> 
>> 
>> On 7/4/06, Eric Ericson <harlequin@...thlink.net> wrote:
>>> (I'm not a lawyer, but I spent a couple of three years working IS in
>>> Radiology at a hospital so take it for what it's worth.)
>>> 
>>> 
>>> First a couple of things:
>>> 
>>> 1) There is no HIPAA enforcement agency. All infractions are considered
>>> either a civil rights violation (yeah, I'm serious) or a criminal violation.
>>> 
>>> 2) HIPAA applies to any company who has "data custodian" rights for any
>>> electronic Patient Health Information (ePHI). That means the hospital,
>>> vendors, even regular corporate HR departments (because of any information
>>> they might have about your prior medical conditions in conjunction with your
>>> Medical Insurance).
>>> 
>>> 3) When you said you verified the patient data as being valid, what exactly
>>> do you hypothetically mean? The reason I ask is that the Patriot act has
>>> some VERY nasty penalties regarding offensive actions taken towards
>>> hospitals. If you're clean though, I wouldn't stress.
>>> 
>>> 4) HIPAA does have teeth in a situation like this if this data disclosure
>>> was due to negligence or malice. If the data was knowingly disclosed the
>>> penalty can be up to a US$250,000 fine and ten years in prison. That's for
>>> an individual, not an organization (as are most of the other fines).
>>> 
>>> So, with that said. What I'd recommend is that you contact the Risk
>>> Management department at the Hospitals. Explain the situation to them and
>>> just make it clear you're trying to help. They're biggest concern is C-ing
>>> the hospital's A, so I wouldn't stress to hard on them trying to place blame
>>> on you. Plus this also puts them in a situation where they knowingly have to
>>> disclose to their patients, and if the Risk Management group is mostly
>>> lawyers, so they're less likely to try to bury this.
>>> 
>>> Good Luck,
>>> 
>>> -E2
>>> 
>>> (Oh, if you're looking for more HIPAA info, check out UCSF Medical center's
>>> page at http://www.ucsf.edu/hipaa)
>>> 
>>> --
>>> Eric Ericson
>>> harlequin@...thlink.net
>>> 
>>> When the Boogeyman goes to sleep every night, he checks his closet for Chuck
>>> Norris
>>> 
>>> 
>>>> From: r r <anothersecurityquestion@...il.com>
>>>> Date: Mon, 3 Jul 2006 18:57:43 -0400
>>>> To: <full-disclosure@...ts.grok.org.uk>
>>>> Subject: [Full-disclosure] Undisclosed breach at major US facility
>>>> 
>>>> Need some advise here.
>>>> I would like to know what to do if I --hypothetically speaking-- I
>>>> were to retrieve _complete_ databases of a MAJOR us hospital.  My
>>>> hypothetical model is not brute force, but rather an 'accidental'
>>>> discovery by trying to retrieve updates from a software vendor.
>>>> 
>>>> Let's say this Big Name software vendor, who sells itself as being an
>>>> authority on security, is so flipping retarded that they stick their
>>>> customer data on a public CVS server.  Let's say I sync to this and
>>>> dump a couple hundreds of meg of 'updates' only to later discover that
>>>> those are NOT updates.
>>>> 
>>>> Those are data files for other customers (which when prodding, reveals
>>>> itself to be very real, verified data of at least one high-profile
>>>> hospital)
>>>> 
>>>> I read up as much as I could on HIPAA, but this is beyond the slip-ups
>>>> to be covered by HIPAA.  Beyond medical records and privacy, this
>>>> wreaks of woeful incompetence by who should be freaking security
>>>> professionals!! (4 MAJOR organizations who have royally screwed up
>>>> here).
>>>> 
>>>> First thoughts are to call HIPAA (has to be federally reported for
>>>> number of people and different states affected).
>>>> And while HIPAA is supposed to protect the 'whistleblower', I don't
>>>> put much confidence in it.  Maybe a webpost through anonomizer (and
>>>> borrowed connections) like I do to check gmail.
>>>> 
>>>> And if these companies are notified, what happens?  A slap on the wrist?
>>>> Wash it under the rug and label the person discovering it all to be a Black
>>>> Hat?
>>>> Let's not forget about the diebold fiasco(s)---(fwiw I don't work for
>>>> any of the involved companies--in my theoretical model I would solely
>>>> be the customer of questionable software).
>>>> 
>>>> One idea (by one of my imaginary friends who pretends to be a doctor
>>>> and a former hospital board member) was to ABSOLUTELY NOT tell the
>>>> hospital for various reasons.  That alter-ego of mine instead
>>>> suggested I get an attorney that specialized in that.  That sounds
>>>> expensive.  Now, I feel like a victim.
>>>> 
>>>> If _I_ have been able to discover such a gaping hole (and I didn't
>>>> even TRY to find it), then I am pretty sure that it already has been
>>>> taken. In any case, it will be stolen in a matter of weeks.  Since
>>>> that is inevitable, I should just remove all the data I obtained and
>>>> forget about it.
>>>> 
>>>> In the end, I feel bad for the hundreds of thousands of people who can
>>>> be totally raped of their identities (or be scammed for extraneous
>>>> chargesl, etc etc).
>>>> But, why should I be the scapegoat for pointing out that the Emperor
>>>> has no clothes?
>>>> 
>>>> Any useable thoughts?
>>>> 
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>> 
>>> 
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>> 
>> 
>> 
>> -- 
>> "If you see me laughing, you better have backups"
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ