News Stay informed about the latest enterprise technology news and product updates.

Walter Reed admits breach of patient information

An employee could have downloaded peer-to-peer (P2P) network software onto a hospital computer putting the data at risk.

Officials at Walter Reed Army Medical Center are investigating how the personal information of 1,000 former patients was left unsecured on a hospital computer.

The information did not contain any protected health information such as medical records, diagnosis or prognosis for patients.
Col. Patricia Horoho
commanderWalter Reed Health Care System

Hospital officials said they were notified of the data breach May 21 by an outside company. Few details are available, but investigators say the information may have been disclosed via a peer-to-peer (P2P) network.

"Preliminary results of an ongoing investigation have identified a computer from which the data was apparently compromised," the hospital said in a statement.

In a message on the Walter Reed website, Col. Patricia Horoho, commander of the Walter Reed Health Care System, shed some light on how the information was compromised.

"I need everyone to ensure that they are not loading or downloading programs that are not authorized by the command, as it increases our vulnerability and possibly can cause a breach in protected information being shared," Horoho said.

The message was addressed to Team WRAMC and was posted on the Walter Reed website this morning, but has recently been removed.

Organizations have a number of ways to monitor employees and detect the use of unauthorized programs on the network. Standard firewall rules can be put in place to detect P2P traffic and intrusion prevention systems can be tuned to see P2P protocols and other similar activity on the network, said Phil Hochmuth, a senior analyst at Boston-based Yankee Group.

P2P risks:
Do P2P networks share the same risks as traditional ones? Although P2P networks have their benefits, organizations still need to be careful with the peer-to-peer technology.

IM/P2P threats surge ahead: Malicious attacks against IM and P2P programs have surged since the start of the year, a consortium said in a new report.

"P2P is a direct conduit out of your organization that is hard to monitor through which personal data can easily move," Hochmuth said. "It's potentially a giant hole punch in your network perimeter."

Still, some traditional inspection and monitoring technologies have trouble detecting unauthorized programs. For example, data transmissions of the P2P service, Skype are often hard to detect, Hochmuth said.

"They're more dynamic and move very easily from port to port," Hochmuth said.

It's unclear what kind of information may have been leaked at Walter Reed. The hospital is notifying each individual named in the file and offering credit monitoring assistance.

The Health Insurance Portability and Accountability Act (HIPPA) protects patients from unauthorized release of their health records.

"The information did not contain any protected health information such as medical records, diagnosis or prognosis for patients," Horoho said.

The federal government has had issues in the past with lost and stolen laptops compromising sensitive information.

In 2006, an employee at the Department of Transportation (DOT) lost a laptop containing 133,000 drivers' and pilots' records last summer. The information was believed to have been taken from a government vehicle. That same year, the Department of Veterans Affairs (VA) acknowledged a data security breach involving a desktop computer compromising the personal information of thousands veterans.

Dig Deeper on HIPAA and other healthcare compliance requirements

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Wow, I would hate to be that employee responsible for the breach, if that is in fact what happened. The article is a little vague. 
Still, if the data was on a hospital computer, it seems that the data should have been protected. Sometimes it takes a wake-up call for an organization to realize that they need better data security in place. I work with PHI (protected health information) and I would hate to unintentionally make a mistake that left the data vulnerable.