Paid Advertising
web application security lab

Illegal Penetration of Physician Database

Quadszilla just sent me a link to a recent alledged unathorized hack into a medical college database by what is believed to be a salesman of all things.  He is a salesman for medical databases.  No doubt he was going to take the information he recieved and attempt to market to those people who were either near graduation or post graduates.

This is one of those weird things where blackhat hacking is getting to be far more mainstream.  Even sales guys can hack into a database.  And if he hadn’t gotten caught, it is very likely that this would have been a very profitable attack.  I remember at one point in my college career someone sold the school password file to spammers.  That was also pretty successful as there were far less people on the internet at that point, so email addresses were more scarce.

Thankfully the database in question in this particular hack was not a patient resource (and therefor not under HIPAA regulation), but the obvious damage that could be caused by something like this makes me shudder a little bit.  College servers hold a great deal of sensitive information.  Thankfully, normally they are fairly difficult to break into, as the colleges themselves have to protect against users who would attempt to break in and steal information or change grades, etc.

2 Responses to “Illegal Penetration of Physician Database”

  1. webwormx Says:

    I disagree with you about the safety of college databases. In my personal experience, servers run by most universities are among the most poorly secured around.

    Universities seem to be notoriously terrible at hiring competent IT people understanding how much effort needs to be put towards security. Additionally, they often try to create complex interactive websites on low budgets — clearly a recipe for disaster.

    It doesn’t surprise me at all that this salesman was able to get in, and this is far from the first public break in around. University of Ohio and Harvard are just two more of the many that have been reported in the past couple of years. Additionally, one must wonder how many attacks are left undetected or unreported.

  2. RSnake Says:

    webwormx, I suppose you’re probably right… I am really thinking of the colleges I worked with, which were some of the most technical groups out there at the time. It stands to reason that a college filled with doctors won’t be the most technically competent group of people. So I’m probably a bad datapoint to discuss computer security at colleges.

    I would agree that most of the breakins go unnoticed. In fact, of the few breakins that I am aware of none ever got disclosed. Maybe I should get myself a degree. ;)