Friday, September 18, 2009

Fool me once...

Hmm.. looks like this is not the first brush of data breach at Akron Children's Hospital. In our last post we wrote about how a misdirected spyware was installed on a computer there, and subsequently leaked financial and medical information.

In 2006, an intruder broke into their network and compromised a database. Here is what the FAQ says:
Akron Children's Hospital recently identified that during an expansion of its computer systems, there were unauthorized entries (breaches) into two separate computer databases. The first database contained personal information of our patients, and of the parents or guardians who provide their health insurance. This personal information included names, addresses, social security numbers and patient birth dates. We have found no evidence that any medical or financial patient information was exposed.

The second breach involved a server containing information about individuals who have made donations to the hospital. This breach may have exposed personal financial information, specifically some unencrypted bank account and routing numbers. Social security numbers were not included in this database, and credit card information was protected through the highest level of encryption.
There is a report from the local NBC affiliate that says pretty much the same thing, but adds that the intruders came in via a number of intermediate hops.

Typically, it takes a security breach to wake up a company--it is their "come to Jesus" moment. If after that 2006 breach they did not include simple things like educating employees to not open attachments and blocking outside email access, they were not doing a very good job.