A HIPAA Violation Story For You…
A few months back my wife and I were in our doctor’s waiting room together. We were just chatting and enjoying each other’s company. (We have three young kids… so this might have constituted a date!) We were looking at the trees outside and happened to notice someone rolling a cart to the dumpster in the parking lot with what appeared to be computers and LCD monitors.
After our appointments, we strolled over to take a look. Another company in the doctor’s office complex had thrown away 5 Dell Optiplex machines complete with 15″ LCD monitors. Well, of course I backed the truck up and tossed them in! Worst case, I thought they could be repurposed or used for parts. (Ask my wife, I have parts everywhere…you never know when you’ll need something.)
Once home, I noted that they were all 1Ghz Pentium 4 boxes with a Gig of RAM… Not too shabby. I also noted that they booted into Windows NT (Yeah Windows NT in 2010) with a domain name of “Joe’s Hospital Billing.” (Ok, not really Joe’s Hospital, but a well known and respected University Hospital System that might need to review their HIPAA rules, not to mention the penalties enforced when you break them.) I then booted them with a Knoppix Live CD to take a look at the hard drives. I noted that while they were only 20G drives, they were packed with years’ worth of medical billing records and patient information.
Well, since I had no interest in knowing that Shirley So and So has such and such a medical issue or that her SSN is 123-45-6789, I shut down the machines and zeroed the drives. I also sent a nice letter to Joe’s Hospital addressing both the Legal and IT departments explaining what I found and how I found it. I explained I had zeroed the drives and even offered to drop them off to them if they wanted. I got a nice reply from the IT department explaining they had outsourced the upgrades and thanking me for letting them know.
It turned out that one of the IT staff there was someone I knew, so I found out later that the hospital in question has since changed its upgrade practice. The IT team still uses an external company, but this company wipes the drives before they go to the recycler and not the dumpster. While it’s somewhat comforting to know the hospital has changed policy, it’s also scary to think that people’s personal information is so easily “trashed.” What would have happened if I hadn’t found those machines? (I am an “ethical hacker” by trade, after all…)
So while HIPAA supposedly “protects” our data, like anything else, it’s only as “secure” as the humans and processes handling it!