http://www.securityfocus.com/news/122
Seattle Hospital Hacked
Dutch hacker downloads thousands of patient records.
By Kevin Poulsen
December 6, 2000 3:54 PM PT
A sophisticated hacker took command of large portions of the University of
Washington Medical Center's internal network earlier this year, and
downloaded computerized admissions records for four thousand heart
patients, SecurityFocus.com has learned.
The intrusions began in June, and continued until at least mid-July, before
network administrators at the Seattle teaching hospital detected the hacker
and cut him off. The medical center was purportedly unaware that patient
records were downloaded, and elected not to notify law enforcement agencies
of the intrusions.
"It's a story of great incompetence," said the hacker, a 25-year-old Dutch man
who calls himself "Kane." "All the data taken from these computers was taken
over the Internet. All the machines were exposed without any firewalls of any
kind."
SecurityFocus.com reviewed portions of the databases the hacker
downloaded. One of the files catalogs the name, address, birth date, social
security number, height and weight of over four thousand cardiology patients,
along with each medical procedure they underwent. Another file provides
similar information on seven hundred physical rehabilitation patients. A third
file chronicles every admission, discharge and transfer within the hospital
during a five-month period.
"I can say we're investing an incident," said hospital spokesperson Walter
Neary. "We are taking it very seriously."
In a telephone interview, Kane said he did not tamper with any hospital data,
and described his forays into the hospital's network as a renegade public
service aimed at exposing the poor security surrounding medical information.
A self-described computer security consultant by trade, the hacker's illicit
investigation was inspired by a conversation with a colleague, in which they
wondered aloud about how well highly sensitive computers were protected.
"The conversation came around to medical data, which is sensitive indeed,
and I thought I'd have a look around," said Kane. <...>
Lauren Gelman, Director of Public Policy, Electronic Frontier Foundation
1-202/487-0420 [Lauren Gelman via risks-digest Volume 21, Issue 14]
0:00
#
G!
