Officials at Walter Reed Army Medical Center are investigating how the personal information of 1,000 former patients was left unsecured on a hospital computer.
Hospital officials said they were notified of the data breach May 21 by an outside company. Few details are available, but investigators say the information may have been disclosed via a peer-to-peer (P2P) network.
"Preliminary results of an ongoing investigation have identified a computer from which the data was apparently compromised," the hospital said in a statement.
In a message on the Walter Reed website, Col. Patricia Horoho, commander of the Walter Reed Health Care System, shed some light on how the information was compromised.
"I need everyone to ensure that they are not loading or downloading programs that are not authorized by the command, as it increases our vulnerability and possibly can cause a breach in protected information being shared," Horoho said.
The message was addressed to Team WRAMC and was posted on the Walter Reed website this morning, but has recently been removed.
Organizations have a number of ways to monitor employees and detect the use of unauthorized programs on the network. Standard firewall rules can be put in place to detect P2P traffic and intrusion prevention systems can be tuned to see P2P protocols and other similar activity on the network, said Phil Hochmuth, a senior analyst at Boston-based Yankee Group.
"P2P is a direct conduit out of your organization that is hard to monitor through which personal data can easily move," Hochmuth said. "It's potentially a giant hole punch in your network perimeter."
Still, some traditional inspection and monitoring technologies have trouble detecting unauthorized programs. For example, data transmissions of the P2P service, Skype are often hard to detect, Hochmuth said.
"They're more dynamic and move very easily from port to port," Hochmuth said.
It's unclear what kind of information may have been leaked at Walter Reed. The hospital is notifying each individual named in the file and offering credit monitoring assistance.
The Health Insurance Portability and Accountability Act (HIPPA) protects patients from unauthorized release of their health records.
"The information did not contain any protected health information such as medical records, diagnosis or prognosis for patients," Horoho said.
The federal government has had issues in the past with lost and stolen laptops compromising sensitive information.
In 2006, an employee at the Department of Transportation (DOT) lost a laptop containing 133,000 drivers' and pilots' records last summer. The information was believed to have been taken from a government vehicle. That same year, the Department of Veterans Affairs (VA) acknowledged a data security breach involving a desktop computer compromising the personal information of thousands veterans.