Here's an interesting story making the rounds today about an Ohio man who used a commercial spyware program on an (ex?) girlfriend. He expected it to track her activities on her home computer, but instead ended up getting an ongoing screenshot feed from a computer in a hospital pediatric cardiac surgery department, where she works. He sent the file to her Yahoo! Mail account. She opened it and unknowingly installed the software on a work computer.
Needless to say, instead of getting juicy details on her online activities a la Joey Greco, he ended up with a feed of sensitive data, including PII and ePHI. While this was indeed an unintended result, he is still on the hook for big fines and possible jail time.
There is a lot of blame to spread around here for sure. There are also many questions (some rhetorical) that popped into my head as I read this:
- How did he convince her to run the installer and infect the PC? Obviously, he had an advantage over a random malware spreader since she knew the sender. Still, it must have required at least a small amount of social engineering skill. She didn't even know she had infected the system (or didn't think it wise to tell anyone).
- Does the hospital have a webmail policy? Do they have the tools to enforce it? Blocking access to Yahoo! Mail at the gateway would have nipped this problem in the bud, at least for the hospital.
- Did the PC in question have adequate anti-malware protection? By the looks of things, whatever they were using was insufficient.
- What else could the hospital have done to prevent the leak of ePHI in accordance with HIPAA regulations? Of course SIM comes to my mind, but SIM would need to rely on feeds from web gateways, AV servers, DLP systems, firewalls, etc.
- The hospital is actually lucky here in that the person who stole the sensitive information had no nefarious plans for it. They were shown the weakness of their defenses without having to pay for an audit and without the need to pay ransom or experience worse consequences. They should view this incident as a gift and use it to improve their security stance.
- The stalker / boyfriend was clearly in the wrong no matter how you slice things. I imagine it's just as illegal to spy on a private citizen this way as it is to do it to a hospital. To borrow from an old saying: Spyware doesn't steal information - people do.
Leave a comment