Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Unprotected Voice System is Used by Many Hospitals Across the U.S.

From: mea culpa <jericho () DIMENSIONAL COM>
Date: Tue, 28 Sep 1999 00:40:12 -0600
http://biz.yahoo.com/bw/990923/ca_zdtv_1.html

Thursday September 23, 6:39 pm Eastern Time
ZDTV CyberCrime News Team Advances Major Story on Medical Records Security Breach
Unprotected Voice System is Used by Many Hospitals Across the U.S.

SAN FRANCISCO--(BUSINESS WIRE)--Sept. 23, 1999--Today ZDTV has confirmed
that St. Joseph's Mercy Hospital in Pontiac, Michigan, has suffered a
major security breach that left certain confidential patient records
accessible to the public.

ZDTV's CyberCrime news team, Alex Wellen and Luke Reiter, determined the
identity of the hospital after Emmanuel Goldstein, publisher of the hacker
magazine and web site 2600.com, first alerted them to the security flaw.

The hospital uses a voice mail service (internal digital dictating
service) that allows doctors to record and access notes concerning patient
examinations and consultations. The notes include information about
patients, ranging from admission and discharge data, to cardiac and mental
health records.

2600.com reported that a glitch in the hospital voice mail system allowed
callers to access confidential patient records without a password or any
other security roadblock. Goldstein first reported the flaw on public
radio station WBAI's ``Off The Hook'' on September 21, but the hospital's
identity was not known prior to ZDTV's investigation. Goldstein has
published a sample audio file on the 2600.com Web site to alert the
country to the problem, but left off the patient's name to protect the
individual.

Sonja Berry, PR Spokesperson for St. Joseph's Mercy Hospital said that
after hearing about the problem from ZDTV, the hospital took immediate
action to correct the situation and ensure that the private information is
no longer available to outside callers. She said the hospital is now
investigating to ensure the problem will never happen again.

Berry told ZDTV she could not provide an explanation for the error, but
confirmed that the dictation service was provided by Dictaphone
Corporation of Stratford, Connecticut, and is used by other hospitals
around the country. Dictaphone has been advised of the situation and is
expected to respond to ZDTV's inquiries shortly.

Details of this breaking story can be seen on the ZDTV News at 4:00 p.m.
and 11:00 p.m. ET, ZDTV's CyberCrime web site at www.cybercrime.com, and
heard on ZDTV Radio at www.zdtv.com/radio.

[snip..]

ISN is sponsored by Security-Focus.COM
Previous By Date Next
Previous By Thread Next

Current thread: