Hacked dental school server compromises 300,000

By Robert Westervelt, News Editor 17 Nov 2008 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

A server at the University of Florida's College of Dentistry was exploited remotely by an attacker compromising the personal information of more than 336,000 patients.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

In an announcement last week, the university said it discovered rogue software on a server Oct. 3 during a server upgrade. IT staff discovered that a hacker used vulnerability scanning software remotely to install software on the server.

The server contained unencrypted information on thousands of patients who received care at the UF College of Dentistry between 1990 and 2008. The personal information included a combination of names, dates of birth, addresses, Social Security numbers and billing codes for patients, the university said.

"It's unfortunate that, like many large institutions, we were targeted," said Teresa Dolan, dean of the UF College of Dentistry, in a statement. "We work hard to continually fine-tune our security protections, and maintaining our patients' trust and confidence is of utmost importance."

SearchSecurity radio:

The university also said it was struggling to notify all of the patients whose information was compromised. It identified more than 8,000 patients who had data stored on the server, but no current mailing address connected to them.

In the UF privacy breach announcement, officials said the compromise took place despite recent security improvements. It said the dental school "added and strengthened firewalls and intrusion detection systems, encrypted the data flows containing sensitive information, and increased vigilance in identifying threats and securing servers."

The compromised database server was probably not Internet facing, said Roger Nebel, director of strategic security for Washington D.C.-based FTI Consulting Inc. Instead, a hacker likely used a scanner to find a vulnerable machine, get a foothold inside the network and eventually compromise the database server containing the dental school records.

"It takes a lot of work to successfully defend against that kind of attack," Nebel said.

Core Security Technologies Inc. makes a vulnerability testing tool, Core Impact, which automates the same moves that a savvy hacker would take to gain access to a system. The tool scans for vulnerabilities and when it finds a flaw it pushes a software agent into the affected server and acts as a Trojan, attempting to download more software onto the compromised server.

Tools like Core Impact leave a unique signature in log files analyzed by the IT team after the breach discovery, Nebel said.

"Universities probably represent a training ground for hackers," Nebel said. "Most of time you'll find student computers and not much [of anything] interesting there, but if you get into the right systems, there's financial records and other valuable information."

In two separate incidents, the University of Florida announced the data breach of 1,900 patients of its College of Medicine. The breach resulted in the dismissal of a plastic surgeon for storing unsecured patient records. In June, the university announced more than 11,000 current and former students had their sensitive information put at risk when it was posted online between 2003 and 2005.

Colleges and universities have been the target of hackers this year. So far, more than 50 data breaches have occurred at colleges and universities in 2008.

Tags: HIPAA and other healthcare compliance requirements,  Data retention and compliance software,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT HIPAA and other healthcare compliance requirements IT compliance: FAQs about IT operations, regulations and standards Enterprise document management FAQ: IT operations and compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more HIPAA-covered entities' first step should be a quality assurance plan HITECH moves electronic health records forward; standards to come HITECH FAQ: What is the impact of the HITECH Act on IT operations? Discovery of data breach under HITECH raises big compliance questions Healthcare, cybersecurity policy and privacy on legislative agenda Record locator service a step to health information exchange Data retention and compliance software Brokerage invests in social media archiving for FINRA compliance Data loss prevention technology matures but is still no cure-all Record locator service a step to health information exchange Be ready for electronic discovery with a records retention policy Discovery process puts onus on electronic records management tools Voices from RSA: CA's Dave Hansen on compliance strategy Biometric security data adds layer of privacy compliance risk Podcast: New Massachusetts data protection law mandates IT compliance How State Farm saves millions on electronic data discovery Data center virtualization: Four steps to compliance

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Dossia  (SearchCompliance.com) personal health record (PHR)  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary