http://www.darkreading.com/document.asp?doc_id=155501 By Tim Wilson Site Editor Dark Reading June 3, 2008 Peer-to-peer (P2P) applications may have been the culprit in a security breach that has exposed the personal information of more than 1,000 patients at Walter Reed Hospital, according to early reports. Names, Social Security numbers, birth dates, and other information was exposed through a single computer file, hospital officials said Monday. The file did not include information such as medical records, or the diagnosis or prognosis for patients, they said in an Associated Press report [1]. The officials declined to discuss the nature of the breach with AP, citing an ongoing investigation. However, according to an industry news report [2], Col. Patricia Horoho, commander of the Walter Reed Health Care System, posted a Website message yesterday which suggests a potential P2P leak. "I need everyone to ensure that they are not loading or downloading programs that are not authorized by the command as it increases our vulnerability and possibly can cause a breach in protected information being shared," the message said. Horoho's message has since been pulled from the Walter Reed site, but the trade journal managed to get a screen capture [3] before the message disappeared. The medical center learned of the breach on May 21 from an outside data mining company, which officials did not identify. They said the company was working for another client, found the file and contacted Walter Reed. The hospital said it is working to notify all of the people named in the data file. Letters or emails were being sent out, beginning Monday. Officials declined to say how many patients were from Walter Reed and how many were from other military hospitals. The chairman of the House Armed Services Committee, Rep. Ike Skelton, D-Mo., said he wants to hear from the Army about its investigation. "It's very troubling when private data is inappropriately released," Skelton said. "We must ensure that personal information is protected and prevent any future compromise of patient records." Several other high-profile breaches have occurred via P2P, which is often used to share music or video files without paying a royalty fee. In the past year, Citigroup subsidiary ABN Amro and pharmaceutical giant Pfizer have both been breached via P2P. (See P2P Leads to Major Leak at Citigroup Unit [4] and Pfizer Falls Victim to P2P Hack. [5]) But experts are also quick to point out that there is a growing base of technology that can detect potential P2P leaks and help close them before a compromise occurs. While companies such as Lumension offer off-the-shelf tools, there also are some techniques enterprises can use to prevent users from exposing data via P2P. (See Tech Insight: De-Fanging P2P. [6]) [1] http://ap.google.com/article/ALeqM5ggIYzqvXf4Qosf6ubPXxZRRAMPEAD91263E02 [2] http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1316003,00.html [3] http://security.blogs.techtarget.com/files/2008/06/walterreed.JPG [4] http://www.darkreading.com/document.asp?doc_id=134544 [5] http://www.darkreading.com/document.asp?doc_id=126297 [6] http://www.darkreading.com/document.asp?doc_id=148404 _______________________________________________ Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 50 nations. Visit product displays by 30 top sponsors in a relaxed setting. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Thu Jun 05 2008 - 00:42:10 PDT