http://securityratty.com/tag/umass Wed, 30 Apr 2008 11:54:48 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/bf47c63d3967bee3e9de22405605c51a http://securityratty.com/article/bf47c63d3967bee3e9de22405605c51a Security Breach

Date Reported:
4/18/08

Organization:
University of Massachusetts System

Contractor/Consultant/Branch:
University of Massachusetts System at Amherst
University Health Services

Victims:
Patients

Number Affected:
Unknown

Types of Data:
"personal information" and "medical records"

Breach Description:
"Hackers breached the computer system used by UMass Amherst's Health Services, potentially gaining access to thousands of medical records."

Reference URL:
CBS Channel 3 News (Springfield)
UMass Amherst Press Release

Report Credit:
Lesley Tanner, CBS Channel 3 News

Response:
From the online source cited above:

Hackers breached the computer system used by UMass Amherst's Health Services, potentially gaining access to thousands of medical records.

More than half of the student population at UMass Amherst are patients on record at the University Health Services.
[Evan] According to the UMass Amherst web site, the school had an enrollment of 25,593 total undergraduate and graduate students in the fall of 2006.  This just gives us a sense for how big the school is, not how many people may be affected by the supposed breach.

Though many of the most personal medical records are kept on paper files, officials say some personal information is available on the 150 computers used by the department.

The incident occurred April 11, and, after an initial investigation of the remote intrusion, the University decided to shut down the network

To date, about 30 workstations have been returned to service and officials project that the entire network will be operating within the next week.

The workstations in question contained limited patient information.

"What we're doing is going through as quickly as we can," says UMass Spokesperson Ed Blaguszewski. "And we are making an assessment and can't say for sure that the material wasn't breached."

Officials believe outside hackers wanted to use the server as a host for illegal music and video downloads, one that would make the culprits untraceable.
[Evan] Firewalls, intrusion detection/prevention, logging, etc.?  Outside "hackers" for the most part are amongst the easiest to protect confidential information from.  "Hackers" looking for a place to store and distribute files are typically opportunists and script-kiddies, and these are even easier to protect against.  Were the affected machines workstations, or servers?

"It wasn't a case from what we can tell of someone being in the office and breaking into a computer," says Blaguszewski. "These things are done remotely often times from countries all over the world."

A fact that's even more unsettling for patients who were unaware of the breach more than a week after it occurred.
[Evan] It seems like the school doesn't know who may be affected and thus they don't know who to notify.

The University did post a notice on the Health Services website, and say they are notifying patients when they enter the clinic.
[Evan] The notice

Campus officials say it will be weeks before they are completely sure what information, if any, was taken off the computers.

The University has launched a detailed evaluation of the incident to find out if any of the files were accessed during the intrusion, and will keep the community advised of its findings.

They say the entire campus system is being looked at to avoid future breaches.
[Evan] This should be a continuous effort.

Reaction from Students:
"I've been here every time I've been sick this semester," says Freshman Brooke Quinn.

"That's my doctor, it's where I go," says Senior Jennifer Scott.

"I think that it is scary that anybody on our campus could have our personal information and medical records," says Quinn.

"I wasn't aware of it, and no one I know was aware of it," says Scott. "If it's that easy for someone who just wanted to get music who knows what would happen for someone who was trying to get confidential information."

Commentary:
There is too much uncertainty surrounding this (apparent) breach.  If you are a concerned and potentially affected person, I would encourage you to contact officials with the school and seek answers.  You could also contact Ed Blaguszewski, his contact information is on the press release.  They should be done with their investigation by now.

Past Breaches:
Unknown

]]> Wed, 30 Apr 2008 11:54:48 +0000 university health services university information personal information health services protect confidential information contact information amherst umass amherst Intrusion into UMass Amherst University Health Services network