Army Hospital Breach May Be Result of P2P Leak

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/document.asp?doc_id=155501

By Tim Wilson
Site Editor
Dark Reading
June 3, 2008

Peer-to-peer (P2P) applications may have been the culprit in a security 
breach that has exposed the personal information of more than 1,000 
patients at Walter Reed Hospital, according to early reports.

Names, Social Security numbers, birth dates, and other information was 
exposed through a single computer file, hospital officials said Monday. 
The file did not include information such as medical records, or the 
diagnosis or prognosis for patients, they said in an Associated Press 
report [1].

The officials declined to discuss the nature of the breach with AP, 
citing an ongoing investigation. However, according to an industry news 
report [2], Col. Patricia Horoho, commander of the Walter Reed Health 
Care System, posted a Website message yesterday which suggests a 
potential P2P leak.

"I need everyone to ensure that they are not loading or downloading 
programs that are not authorized by the command as it increases our 
vulnerability and possibly can cause a breach in protected information 
being shared," the message said. Horoho's message has since been pulled 
from the Walter Reed site, but the trade journal managed to get a screen 
capture [3] before the message disappeared.

The medical center learned of the breach on May 21 from an outside data 
mining company, which officials did not identify. They said the company 
was working for another client, found the file and contacted Walter 
Reed.

The hospital said it is working to notify all of the people named in the 
data file. Letters or emails were being sent out, beginning Monday. 
Officials declined to say how many patients were from Walter Reed and 
how many were from other military hospitals.

The chairman of the House Armed Services Committee, Rep. Ike Skelton, 
D-Mo., said he wants to hear from the Army about its investigation.

"It's very troubling when private data is inappropriately released," 
Skelton said. "We must ensure that personal information is protected and 
prevent any future compromise of patient records."

Several other high-profile breaches have occurred via P2P, which is 
often used to share music or video files without paying a royalty fee. 
In the past year, Citigroup subsidiary ABN Amro and pharmaceutical giant 
Pfizer have both been breached via P2P. (See P2P Leads to Major Leak at 
Citigroup Unit [4] and Pfizer Falls Victim to P2P Hack. [5])

But experts are also quick to point out that there is a growing base of 
technology that can detect potential P2P leaks and help close them 
before a compromise occurs. While companies such as Lumension offer 
off-the-shelf tools, there also are some techniques enterprises can use 
to prevent users from exposing data via P2P. (See Tech Insight: 
De-Fanging P2P. [6])

[1] http://ap.google.com/article/ALeqM5ggIYzqvXf4Qosf6ubPXxZRRAMPEAD91263E02
[2] http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1316003,00.html
[3] http://security.blogs.techtarget.com/files/2008/06/walterreed.JPG
[4] http://www.darkreading.com/document.asp?doc_id=134544
[5] http://www.darkreading.com/document.asp?doc_id=126297
[6] http://www.darkreading.com/document.asp?doc_id=148404


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com