Attacks/Breaches
6/3/2008
06:50 AM
50%
50%

Army Hospital Breach May Be Result of P2P Leak

Data loss at Walter Reed exposed personal information on 1,000 soldiers

Peer-to-peer (P2P) applications may have been the culprit in a security breach that has exposed the personal information of more than 1,000 patients at Walter Reed Hospital, according to early reports.

Names, Social Security numbers, birth dates, and other information was exposed through a single computer file, hospital officials said Monday. The file did not include information such as medical records, or the diagnosis or prognosis for patients, they said in an Associated Press report.

The officials declined to discuss the nature of the breach with AP, citing an ongoing investigation. However, according to an industry news report, Col. Patricia Horoho, commander of the Walter Reed Health Care System, posted a Website message yesterday which suggests a potential P2P leak.

"I need everyone to ensure that they are not loading or downloading programs that are not authorized by the command as it increases our vulnerability and possibly can cause a breach in protected information being shared," the message said. Horoho's message has since been pulled from the Walter Reed site, but the trade journal managed to get a screen capture before the message disappeared.

The medical center learned of the breach on May 21 from an outside data mining company, which officials did not identify. They said the company was working for another client, found the file and contacted Walter Reed.

The hospital said it is working to notify all of the people named in the data file. Letters or emails were being sent out, beginning Monday. Officials declined to say how many patients were from Walter Reed and how many were from other military hospitals.

The chairman of the House Armed Services Committee, Rep. Ike Skelton, D-Mo., said he wants to hear from the Army about its investigation.

"It's very troubling when private data is inappropriately released," Skelton said. "We must ensure that personal information is protected and prevent any future compromise of patient records."

Several other high-profile breaches have occurred via P2P, which is often used to share music or video files without paying a royalty fee. In the past year, Citigroup subsidiary ABN Amro and pharmaceutical giant Pfizer have both been breached via P2P. (See P2P Leads to Major Leak at Citigroup Unit and Pfizer Falls Victim to P2P Hack.)

But experts are also quick to point out that there is a growing base of technology that can detect potential P2P leaks and help close them before a compromise occurs. While companies such as Lumension offer off-the-shelf tools, there also are some techniques enterprises can use to prevent users from exposing data via P2P. (See Tech Insight: De-Fanging P2P.)

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Lumension Security

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    5 Security Technologies to Watch in 2017
    Emerging tools and services promise to make a difference this year. Are they on your company's list?
    Flash Poll
    New Best Practices for Secure App Development
    New Best Practices for Secure App Development
    The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2013-7445
    Published: 2015-10-15
    The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

    CVE-2015-4948
    Published: 2015-10-15
    netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

    CVE-2015-5660
    Published: 2015-10-15
    Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

    CVE-2015-6003
    Published: 2015-10-15
    Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

    CVE-2015-6333
    Published: 2015-10-15
    Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

    Dark Reading Radio
    Archived Dark Reading Radio
    In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.