Hacked dental school server compromises 300,000

By Robert Westervelt, News Editor 17 Nov 2008 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

A server at the University of Florida's College of Dentistry was exploited remotely by an attacker compromising the personal information of more than 336,000 patients.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

In an announcement last week, the university said it discovered rogue software on a server Oct. 3 during a server upgrade. IT staff discovered that a hacker used vulnerability scanning software remotely to install software on the server.

The server contained unencrypted information on thousands of patients who received care at the UF College of Dentistry between 1990 and 2008. The personal information included a combination of names, dates of birth, addresses, Social Security numbers and billing codes for patients, the university said.

"It's unfortunate that, like many large institutions, we were targeted," said Teresa Dolan, dean of the UF College of Dentistry, in a statement. "We work hard to continually fine-tune our security protections, and maintaining our patients' trust and confidence is of utmost importance."

SearchSecurity radio:

The university also said it was struggling to notify all of the patients whose information was compromised. It identified more than 8,000 patients who had data stored on the server, but no current mailing address connected to them.

In the UF privacy breach announcement, officials said the compromise took place despite recent security improvements. It said the dental school "added and strengthened firewalls and intrusion detection systems, encrypted the data flows containing sensitive information, and increased vigilance in identifying threats and securing servers."

The compromised database server was probably not Internet facing, said Roger Nebel, director of strategic security for Washington D.C.-based FTI Consulting Inc. Instead, a hacker likely used a scanner to find a vulnerable machine, get a foothold inside the network and eventually compromise the database server containing the dental school records.

"It takes a lot of work to successfully defend against that kind of attack," Nebel said.

Core Security Technologies Inc. makes a vulnerability testing tool, Core Impact, which automates the same moves that a savvy hacker would take to gain access to a system. The tool scans for vulnerabilities and when it finds a flaw it pushes a software agent into the affected server and acts as a Trojan, attempting to download more software onto the compromised server.

Tools like Core Impact leave a unique signature in log files analyzed by the IT team after the breach discovery, Nebel said.

"Universities probably represent a training ground for hackers," Nebel said. "Most of time you'll find student computers and not much [of anything] interesting there, but if you get into the right systems, there's financial records and other valuable information."

In two separate incidents, the University of Florida announced the data breach of 1,900 patients of its College of Medicine. The breach resulted in the dismissal of a plastic surgeon for storing unsecured patient records. In June, the university announced more than 11,000 current and former students had their sensitive information put at risk when it was posted online between 2003 and 2005.

Colleges and universities have been the target of hackers this year. So far, more than 50 data breaches have occurred at colleges and universities in 2008.

Tags: HIPAA and other healthcare compliance requirements,  Data retention and compliance software,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT HIPAA and other healthcare compliance requirements How to mitigate operational, compliance risk of outsourcing services HIPAA becoming a standard for data protection regulations Startup helps turn carbon footprint management into cost savings Dumped patient records underscore tougher HIPAA compliance rules Mass. Senate seeks to amend, weaken data breach notification law Biometric security data adds layer of privacy compliance risk Cloud computing providers debate compliance, security and transparency Kill-switch bill would add certification, licensing burdens Are you out of the loop on state data breach notification laws? Panels describe risks of noncompliance with Mass. data protection law Data retention and compliance software Voices from RSA: CA's Dave Hansen on compliance strategy Biometric security data adds layer of privacy compliance risk Data center virtualization: Four steps to compliance Google amends log retention rules, privacy advocates respond Clearwell makes its electronic discovery search more transparent PCI groups to focus on wireless, pre-authorization changes Legal Expert: MDM can advance compliance goals Digitized data creates storage management and compliance challenges E-records management moves up the state CIO agenda HP targets compliance officers with refreshed database archiving software

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Dossia  (SearchCompliance.com) personal health record (PHR)  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary