Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Spyware Prank Exposes Hospital Medical Records

kdawson posted more than 4 years ago | from the epic-keylogger-fail dept.

Security 319

cheerytt writes "Let this be a lesson to all the broken-hearted geeks out there. A 38-year-old Ohio man is set to plead guilty to federal charges after spyware he meant to install on the computer of a woman he'd had a relationship with ended up infecting computers at a children's hospital. Spyware was sent to the woman's Yahoo e-mail address in the hope it would be used to monitor what his former girlfriend was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery department. The spyware sent more than 1,000 screen captures via e-mail, including details of medical procedures, diagnostic notes and other confidential information relating to 62 patients. The man will pay $33,000 to the hospital for damages and faces a maximum sentence of five years in prison."

cancel ×

319 comments

Sorry! There are no comments related to the filter you selected.

FIRST! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29463079)

hah

Wrong type of tracking (4, Funny)

jrumney (197329) | more than 4 years ago | (#29463087)

He should have just planted a GPS in her handbag, then he'd have the full protection of Massachusetts law.

Re:Wrong type of tracking (1)

WarJolt (990309) | more than 4 years ago | (#29463129)

I think Ohio that's still considered an invasion of privacy.

Re:Wrong type of tracking (4, Insightful)

nedlohs (1335013) | more than 4 years ago | (#29463391)

Really, you think he had a search warrant?

The Woman (5, Insightful)

some_guy_88 (1306769) | more than 4 years ago | (#29463095)

So what's happening to the woman who stupidly ran an exe she recieved in an email?

Re:The Woman (4, Interesting)

QuantumG (50515) | more than 4 years ago | (#29463147)

In a hospital no less.

What happened to the geek who setup the transparent web proxy that allowed that?

Re:The Woman (1)

spacefight (577141) | more than 4 years ago | (#29463195)

Are there any proxies who can filter _all_ sort of packing/zipping/password protected executable files with a 100% hit rate? I doubt it.

Re:The Woman (4, Insightful)

QuantumG (50515) | more than 4 years ago | (#29463231)

Most all of them can be configured to reject anything they can't verify as "safe". Whitelist, don't blacklist, it's the first rule of security.

Re:The Woman (1, Insightful)

CarpetShark (865376) | more than 4 years ago | (#29463255)

Whitelist, don't blacklist, it's the first rule of security.

Except when you're mandated to provide general internet access.

Re:The Woman (1)

QuantumG (50515) | more than 4 years ago | (#29463265)

Hope you got that mandate in writing.

Re:The Woman (1)

plastbox (1577037) | more than 4 years ago | (#29463463)

When you are, you provide it on separate machines on a separate vlan. "general internet access" has no place on the "general workers" work computer, no matter how competent the users feels (s)he is with MS Word!

At the very least, you never allow mail with executable attachments through your defences (nor mails with archives containing executables, etc.)

Re:The Woman (1)

bschorr (1316501) | more than 4 years ago | (#29463235)

Well, she's obviously not the brightest bulb on the tree. I would say that yes, it is possible to block all of the zip/executables that a user like that would get. It's not like he changed the extension to .PDF but included instructions that she was to rename it to .EXE after saving it to her drive, right?

There are ways for geeks to get executables past web security. I suspect he just sent her a .EXE or a .COM or something like that and she opened it.

And what kind of web security do they have that allows Yahoo mail anyhow?

Re:The Woman (1)

WarJolt (990309) | more than 4 years ago | (#29463165)

I mentioned eMule to a co-worker. He was fired the next day. I found out when I had an interesting visit from one of the execs asking me if I knew what eMule was. It brought down the entire network. It's been my experience most organizations don't take incompetence lightly. I bet she got fired and I think the IT guy should go too.

Re:The Woman (1)

the_womble (580291) | more than 4 years ago | (#29463223)

Given how badly IT has been run at some place I have worked, I would say lots of organisations cannot identify technical incompetence.

Re:The Woman (2, Funny)

Shikaku (1129753) | more than 4 years ago | (#29463251)

Note to self, quick and easy way to get rid of unwanted coworker.

Re:The Woman (1)

mspohr (589790) | more than 4 years ago | (#29463987)

So what's happening to the IT administrator who stupidly installed a Windows computer with an open admin account that allowed the woman to run an exe?

HIPAA - SHMIPAA (5, Insightful)

C18H27NO3 (1282172) | more than 4 years ago | (#29463105)

I wonder how it came to be that one would be permitted to check web-based email in the hospital's pediatric cardiac surgery department?
This incident could very well be the least of their problems for all they know.
The fact that it was able to install and send screenshots willy-nilly to Graham and who-knows-where-else is a HIPAA nightmare.


Just for grins I went looking through their employment opportunities to see if any IT jobs opened up recently and stumbled upon this:
(Not relevant to this thread but interesting, nonetheless

Nicotine-free hiring policy
Because itâ(TM)s important for healthcare providers to promote a healthy environment and lifestyle, Akron Childrenâ(TM)s Hospital has a nicotine-free hiring policy.
Newly hired employees are tested for nicotine as part of a pre-employment panel of medical tests.
Akron Childrenâ(TM)s will not hire applicants who test positive for nicotine use.
If you test positive for nicotine, the offer of employment made to you will be rescinded.
If after 90 days you successfully quit using nicotine, you may reapply for employment.

Re:HIPAA - SHMIPAA (1)

Cryacin (657549) | more than 4 years ago | (#29463131)

Go the hippocritical oath!

Nicotine-free hiring policy Because itÃ(TM)s important for healthcare providers to promote a healthy environment and lifestyle, Akron ChildrenÃ(TM)s Hospital has a nicotine-free hiring policy. Newly hired employees are tested for nicotine as part of a pre-employment panel of medical tests. Akron ChildrenÃ(TM)s will not hire applicants who test positive for nicotine use. If you test positive for nicotine, the offer of employment made to you will be rescinded. If after 90 days you successfully quit using nicotine, you may reapply for employment.

Re:HIPAA - SHMIPAA (1)

Carthag (643047) | more than 4 years ago | (#29463221)

Don't be so harsh on the horses man, they haven't done anything to us.

Re:HIPAA - SHMIPAA (3, Informative)

pz (113803) | more than 4 years ago | (#29463201)

I wonder how it came to be that one would be permitted to check web-based email in the hospital's pediatric cardiac surgery department?

This incident could very well be the least of their problems for all they know.

The fact that it was able to install and send screenshots willy-nilly to Graham and who-knows-where-else is a HIPAA nightmare.

Indeed, it gives one great pause since that computer *should* have been running anti-virus software to check each download and executable as it was opened, and, presumably, would have caught this installation. Through professional contacts, I'm passingly familiar with the IT environment in a Big University Hospital and the hoops that my colleagues have to jump through to put a PC on the hospital network are near onerous. Those machines are sterile, or as close to sterile as humanly possible.

Given this transgression and their draconian nicotine policy (which surely must be illegal), the moral of the story is clear: do not, under any circumstances, seek treatment at Akron Children's Hospital.

Re:HIPAA - SHMIPAA (0)

Anonymous Coward | more than 4 years ago | (#29463269)

Through professional contacts, I'm passingly familiar with the IT environment in a Big University Hospital and the hoops that my colleagues have to jump through to put a PC on the hospital network are near onerous.

What cheap-shit dictionary did you look up onerous in?

Through contact only with one of my doctors, I know how sloppy some can be. While waiting for him, I read the use policy on the login screen. I told him I thought it was pretty thorough -- see only records for patients for whom you have medical responsibility -- no peeking at: celebrity patients, friends, relatives, even family. Abuse to be monitored and dealt with.

His answer? -- Yeah, but lots of people do anyway and nothing happens.

Hospital management at fault, not employee (1, Troll)

SgtChaireBourne (457691) | more than 4 years ago | (#29463469)

Indeed, it gives one great pause since that computer *should* have been running anti-virus software to check each download and executable as it was opened, and, presumably, would have caught this installation. Through professional contacts, I'm passingly familiar with the IT environment in a Big University Hospital and the hoops that my colleagues have to jump through to put a PC on the hospital network are near onerous. Those machines are sterile, or as close to sterile as humanly possible.

Don't be a shithead. E-Mail is not a replacement for a file system. Nor should hospitals be using systems that are even remotely succeptible to malware. Pretending otherwise or, worse, blaming the user for defective products is an M$ attitude. There are two underlying problems hidden:

1) How the hell was it possible for a hospital unit to have Windows on any of their computers in the first place? HIPAA [informit.com] compliance has been mandatory for many years now and there has been more than enough time to phase out Windows. Did you read the dozen EULAs for the Windows box and all its software and server hooks? For all service packs and CALs? Thought not. Neither did the hospital management. The woman is not at fault, the hospital management who signed of on the purchase or deployment of the Windows machines is the sole group to blame (excepting the sender of course).

2) Any self-respecting milter can strip ALL attachments automatically and delete them. MIMEDefang [mimedefang.org] is a good example, but one of many. The stripping of attachments can even include a non-looping auto-reply to the sender including instructions on the correct way to transfer files.

Re:Hospital management at fault, not employee (5, Informative)

horatiocain (1199485) | more than 4 years ago | (#29463591)

1) How the hell was it possible for a hospital unit to have Windows on any of their computers in the first place? HIPAA [informit.com] compliance has been mandatory for many years now and there has been more than enough time to phase out Windows. Did you read the dozen EULAs for the Windows box and all its software and server hooks? For all service packs and CALs? Thought not. Neither did the hospital management. The woman is not at fault, the hospital management who signed of on the purchase or deployment of the Windows machines is the sole group to blame (excepting the sender of course).

I have an ugly truth for you - almost every hospital in the US uses Windows (95 through XP) for every single workstation. Every single Healthcare IT software vendor develops solely for windows (save a few web-based packages.) It's a very pure MS monoculture. I know, I know, it's sick. I agree completely with the above, but the emperor is threadless here.

Re:HIPAA - SHMIPAA (1)

LordAndrewSama (1216602) | more than 4 years ago | (#29463507)

No, computers that have internet access for the fun and happiness of workers should be on a separate network from computers used for important medical stuphz. I would say cumputers used for important medical stuphz shouldn't be able to access the internet, but hey, they might need to hit a database in somewhere for symptoms or I don't know, but damn, it sure as hell shouldn't be allowed to go to hotmail or any other random website, that's what separate public access terminals should be for.

Re:HIPAA - SHMIPAA (1)

shentino (1139071) | more than 4 years ago | (#29463869)

At Will Employment

Re:HIPAA - SHMIPAA (1)

MichaelSmith (789609) | more than 4 years ago | (#29463225)

I agree but when I broke my arm my xrays were delayed by virus problems. Then they sent my xrays to me on a CD and it came with handy DLL files for processing the data. Fortunately for me gimp got the libraries it needed from the ubuntu repositories.

Re:HIPAA - SHMIPAA (3, Interesting)

Mr. Roadkill (731328) | more than 4 years ago | (#29463429)

Newly hired employees are tested for nicotine as part of a pre-employment panel of medical tests.

That'll be interesting in the future - discrimination on the grounds of disability or medical condition, perhaps?

There's some evidence that nicotine delivered by patch can help with things like parkinsons, alzheimers, depressive conditions, ADD and a whole lot of other things. Various native peoples have ingested tobacco to treat constipation and wom infestations, and I see no reason why people using it exclusively as a herbal remedy for these or other conditions should be penalised. I'm a non-smoker and won't take it up - I think it's disgusting - but if nicotine patches were safe and effective and cheap when compared with other medication I'd use them and take my prospective employers to court if need be. I'd also be the guy passing around the poppseed bagels, fwiw...

Re:HIPAA - SHMIPAA (1)

coaxial (28297) | more than 4 years ago | (#29463629)

I wonder how it came to be that one would be permitted to check web-based email in the hospital's pediatric cardiac surgery department?

And exactly why wouldn't be allowed? It's not like the computer is sitting in the surgery theater. Especially given that arbitrary restrictions of computer usage negatively impact productivity. [slate.com]

This incident could very well be the least of their problems for all they know.

I fail to see what you're implying. Elaborate.

Re:HIPAA - SHMIPAA (1)

JakartaDean (834076) | more than 4 years ago | (#29463655)

Nicotine-free hiring policy Because itâ(TM)s important for healthcare providers to promote a healthy environment and lifestyle, Akron Childrenâ(TM)s Hospital has a nicotine-free hiring policy. Newly hired employees are tested for nicotine as part of a pre-employment panel of medical tests. Akron Childrenâ(TM)s will not hire applicants who test positive for nicotine use. If you test positive for nicotine, the offer of employment made to you will be rescinded. If after 90 days you successfully quit using nicotine, you may reapply for employment.

Wow, that's shocking in so many ways. Excluding potentially talented employees, discrimination on questionable legal grounds, and so on. The HR folks are just as sharp as the IT folks, it appears. (I write as an HR management consultant and former smoker, so I do know something about this.)

Re:HIPAA - SHMIPAA (1)

Yvanhoe (564877) | more than 4 years ago | (#29463919)

My first tought was : and what charges will the woman and the hospital face for making this possible at all ?

Don't get it... (0)

Anonymous Coward | more than 4 years ago | (#29463127)

Why is this not HER problem? She opened the e-mail that installed the malware on a hospital computer. If I infected computers at work, it'd be on me, not whoever sent me the virus.

Re:Don't get it... (0)

Anonymous Coward | more than 4 years ago | (#29463179)

Why is this not HER problem? She opened the e-mail that installed the malware on a hospital computer. If I infected computers at work, it'd be on me, not whoever sent me the virus.

So if I was to mail you a package with three sticks of dynamite, a blasting cap, and had it rigged to blow up when you opened it... it'd be your fault for getting blown up?

Re:Don't get it... (2, Insightful)

booyabazooka (833351) | more than 4 years ago | (#29463397)

So if I was to mail you a package with three sticks of dynamite, a blasting cap, and had it rigged to blow up when you opened it... it'd be your fault for getting blown up?

Almost a good analogy, except that mail bombs are not sent as frequently as malicious emails. If a significant portion of packages contained explosives, then yes, we probably would hold recipients accountable for not taking appropriate precautions when opening their mail.

Re:Don't get it... (0)

Anonymous Coward | more than 4 years ago | (#29463419)

Of course. Both the recipient and sender of the mail bomb are at fault.

Re:Don't get it... (2, Insightful)

gnud (934243) | more than 4 years ago | (#29463445)

No.

If you mailed me a package with a cover letter saying "attach the fuse so and so, and you can see FUNNY KITTENS", and I did, THAT would be just as much my fault.

And since she ran the attachment, she's at fault too. In theory, his email account could have been taken over by bad bad men, who spammed evil viruseses to all his contacts. In that case, it would have been purely her fault (not his).

Re:Don't get it... (0)

Anonymous Coward | more than 4 years ago | (#29463643)

That's still a horrible analogy. To be a BETTER analogy and still along the same lines, how about you disguise the dynamite, very convincingly, as fuzzy kittens and fool the recipient into thinking that activating the blasting cap would make the kittens act funny. That's a little bit more along the lines of a trojan. You may know something is a little odd, since you're getting something of value unexpectedly, but your curiosity is aroused and your knowledge too limited to see through the ruse.

Re:Don't get it... (1)

Tuoqui (1091447) | more than 4 years ago | (#29463645)

So if I was to mail you a package with three sticks of dynamite, a blasting cap, and had it rigged to blow up when you opened it... it'd be your fault for getting blown up?

Yes but that is something that is lethal... This while dangerous hasnt directly killed anyone involved. It'd be more like sending someone a bag of dog shit and stinking up their house when they open it. It can eventually go away but you'll always remember what happened.

Re:Don't get it... (1)

bcmm (768152) | more than 4 years ago | (#29463743)

It's more like sending someone a bag of dog shit, and that someone is an idiot, who eats the dog shit. Then blames you.

Stereotype much? (4, Insightful)

CarpetShark (865376) | more than 4 years ago | (#29463133)

Let this be a lesson to all the broken-hearted geeks out there.

Uhh, we're not all psycho-privacy-invaders with no ability to let go and move on, you insensitive clod.

Re:Stereotype much? (4, Funny)

WarJolt (990309) | more than 4 years ago | (#29463175)

Hey!!! speak for yourself.

Re:Stereotype much? (3, Funny)

RuBLed (995686) | more than 4 years ago | (#29463243)

Let this be a lesson to all the broken-hearted geeks out there.

Geeks create and/or build their own keyloggers from code so we would be sure that the chances it would be detected are low and that we are the only ones who would see it.

Also there is no such thing as a broken-hearted geek. Natalie Portman is still alive.

Who is really at fault? (5, Insightful)

89cents (589228) | more than 4 years ago | (#29463139)

a) The man for emailing the spyware?

b) The woman for opening it and infecting the computer?

c) Yahoo for not blocking it?

d) The hospital for not only allowing internet access from a computer with personally identifiable information, but for also allowing the spyware to get installed.

e) Some combination of the above?

Re:Who is really at fault? (5, Insightful)

wordsnyc (956034) | more than 4 years ago | (#29463189)

d) The hospital for not only allowing internet access from a computer with personally identifiable information, but for also allowing the spyware to get installed.

Bingo. They failed to take steps a reasonably prudent person would have taken to protect patient confidentiality under Federal law. Spyware installation via email is not exactly news.

Re:Who is really at fault? (1)

LordAndrewSama (1216602) | more than 4 years ago | (#29463529)

Sure the hospital gets a fail, but invasion of privacy is still a crime, isn't it?

Re:Who is really at fault? (5, Interesting)

malkavian (9512) | more than 4 years ago | (#29463769)

Right. Ever worked in that environment? Nope? Thought not.. I have..
You're faced with:

Consultant (medical doctor) says "I need to access the net to be able to read research papers, proposals, and various ad hoc sites that contain research on the subjects that I deal with, along with external mail that I use because I move from hospital to hospital quite regularly.".
IT says: "You can't access the net from that machine".
Consultant goes to see hospital directors, stamps feet, and IT get overridden.

Bear in mind there are several thousand PCs on a lot of hospital sites, with maybe 3 technicians to go fix and maybe one or 2 sysadmins. Hospital HR frequently sees IT as just waving a magic wand and things happen miraculously, so it's a "good way to save costs".
If you tie machine names down that can't access the net, I can guarantee a consultant will find a way to get a machine in the area that does, even if it's moving someone else's there.
As for breaking terms and conditions of use. Who do you think will win that pissing competition? Someone in the beleagured and under funded/under resourced IT department who is overlooked and overworked, or the consultant with the hand shakes and the ear of the board of directors?

Coupled with the fact that not all antivirus and anti-malware will spot every variant. It'll get 90+ percent, but you always hear about the ones that get through.
I'm surprised an executable got through the proxy filtering there, but hey.. Without knowing all the ins and outs of this in detail, I'm going to reserve judgement.

The real world can be a messy morass of politics.. Working in a hospital, or academia, really has that in excess.. Try working in one if you think it's easy.. I'd be interested in hearing your opinion after doing it for a while..

Re:Who is really at fault? (1)

war4peace (1628283) | more than 4 years ago | (#29463193)

I'm assuming all of the above, but it could as well be any.

Re:Who is really at fault? (1)

WarJolt (990309) | more than 4 years ago | (#29463233)

The man is criminally liable for sending the e-mail and infecting computers.

The hospital is at fault for releasing the documents.

Yahoo doesn't claim to block ALL threats. Yahoo is fine.

In order to find the woman at fault you would have to prove she is criminally negligent.

I say A and D are in trouble, but I bet you B gets fired.

Re:Who is really at fault? (4, Insightful)

pz (113803) | more than 4 years ago | (#29463249)

a) The man for emailing the spyware?

Yes, for causing spyware to be installed. Electronic trespassing. Theft of HIPPA-regulated information. Stalking.

b) The woman for opening it and infecting the computer?

Yes, for abject stupidity.

c) Yahoo for not blocking it?

Probably not.

d) The hospital for not only allowing internet access from a computer with personally identifiable information, but for also allowing the spyware to get installed.

Yes, for IT incompetence. But they are also liable for some serious charges for violation of HIPPA regulations. It's entirely possible they will lose all Federal support. Breaching HIPPA is a big deal.

Re:Who is really at fault? (0)

Anonymous Coward | more than 4 years ago | (#29463375)

It's entirely possible they will lose all Federal support. Breaching HIPPA is a big deal.

In your imagination it is. Can you name one significant case where HIPPA was enforced with any real severity? I'll even give you time to google it...

*crickets*

Re:Who is really at fault? (3, Insightful)

BenevolentP (1220914) | more than 4 years ago | (#29463601)

Im so sick of the "guilty of stupidity" argument so common here on slashdot.
For most people, computers are still a small, convenient part of life, so they don't educate themselves about it's threats.

But even if they are actually stupid, as in low IQ or poor planning abilities, that does NOT make them guilty in any sense if they're victims of some sad, controlling stalker.

Reminds me a little of some people who say that people who get caught smoking pot 3 times deserve the 25 years in prison they get in some stone-age places i heard of because they were "so stupid".

Stupid people suffer, too, and are mostly not at fault for their stupidity.

Re:Who is really at fault? (2, Insightful)

Anonymous Coward | more than 4 years ago | (#29463729)

Breaching HIPPA is a big deal.

Is it? Have things changed since 2006?
http://www.washingtonpost.com/wp-dyn/content/article/2006/06/04/AR2006060400672.html [washingtonpost.com]

"In the three years since Americans gained federal protection for their private medical information, the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases."

Lots of legislation gets passed to placate voters, but is deliberately de-fanged by not providing funding or a directive for enforcement. The trick is probably as old as politics.

Re:Who is really at fault? (2, Insightful)

Kjella (173770) | more than 4 years ago | (#29463755)

b) The woman for opening it and infecting the computer?

Yes, for abject stupidity.

Why? It's a computer where apparently public internet access is accepted, being tricked into installing spyware is stupidity but hardly criminally negligent stupidity. To me it sounds like a major WTF in security design (one pc for both) and permissions (how did she manage to execute the spyware), but her actions are just simple gullability that millions of users fall for.

Re:Who is really at fault? (2, Interesting)

The Archon V2.0 (782634) | more than 4 years ago | (#29463325)

a) The man for emailing the spyware?

b) The woman for opening it and infecting the computer?

Is this like that question in ethics class where we had to decide who was the most moral, a question seemingly designed to start fights? I'm no good at those - I say the goon at the end, but then people call me horrible.

Explanation in case it's not as universal as I thought....

A woman has to get to her wedding, but the only way is to ride with the boat captain, who will only accept sex for payment. She rides the bumpy boat to the church, makes it there on time. The groom ditches the bride at the altar when he learns what happened so she hires a goon to beat her would-be husband nearly to death, which he does while she laughs.

Who's the most moral? The bride, the groom, the boat captain, or the goon? I always figured the goon was the most moral because he's offering a business service in a free market, and seems to have a willingness to make sure the customer gets his or her money's worth. No one agreed with me.

Re:Who is really at fault? (1)

shentino (1139071) | more than 4 years ago | (#29463909)

The bride, apart from breaking her virginity, took pleasure in the groom's misery.

The captain, much like Microsoft, was the sole arbiter of church transportation and exploited his position to secure monopoly profit of sex.

The goon, just like a mercenary, committed assault for profit.

The least immoral would be the groom. Lack of sympathy notwithstanding, he is the only one of the bunch that has clean hands.

Regarding the actual scenario, it depends on the facts.

First of all, if she violated internal regulations regarding access to personal email, ding.

If she knowingly opened an executable attachment, ding.

However, if the attachment opened itself automatically without intervention on her part, then no ding.

Incompetent IT staff misconfiguring/failing to properly secure the computer/network, ding, unless they were forcibly overruled by management.

Management, if they prevented IT from securing the system.

The sender, if he manually intervened to cause the malware to be sent.

Quite honestly, if the malware was an autopropagating worm, there's not much blame to be had outside of who launched it.

Re:Who is really at fault? (1)

gmuslera (3436) | more than 4 years ago | (#29463367)

You are missing a few alternatives

f) The one that wrote the spyware

g) The ones that decided to put windows connected with internet and managed by people with no concepts in security in computers with sensible information

h) Bill Gates

i) Canada (when in doubt, blame Canada)

Re:Who is really at fault? (1)

hyfe (641811) | more than 4 years ago | (#29463401)

Who is really to blame for a rape?

a) The man doing it?
b) The woman for wearing suggestive clothes?
c) The Police for not being there?
d) The nightclub they met at for not monitoring everything closely enough?

..and yes, I do know the analogy doesn't quite hold, but I do believe it's close enough. If you commit a crime, you're at fault for breaking it. Always.

The victim should never get the blame for not anticipating somebody being an asshole. You might say they already got their punishment for that mistake.

Re:Who is really at fault? (2, Informative)

gnud (934243) | more than 4 years ago | (#29463479)

What I (and I suspect others) mean, is that she should really have known not to open email attachments on that computer.

Of course the dude's at fault. But this could easily have been prevented. I could try to fit this into a rape analogy, but that would just be sad.
You can never prove that a rape wouldn't have happened if not for the miniskirt.
The spyware would not have gotten installed if not for her running weird programs on a hospital computer.

On the other hand, she should probably not have been allowed to check her private email on that computer at all.

Re:Who is really at fault? (1)

trapnest (1608791) | more than 4 years ago | (#29463559)

Except that being raped requires no interaction from you. She decided it was a good idea to run an exe from her personal email account on what was supposed to be a secure machine.

E) (1)

bertoelcon (1557907) | more than 4 years ago | (#29463411)

Yeah its E) as all but C) because yahoo doesn't promise 100% accuracy.

Re:Who is really at fault? (1)

Idiomatick (976696) | more than 4 years ago | (#29463551)

Blame Canada! Blame Canadaaaa~~

It isn't even a real country anyways.

Re:Who is really at fault? (1)

bigdaisy (30400) | more than 4 years ago | (#29463667)

a) The man for emailing the spyware?

b) The woman for opening it and infecting the computer?

c) Yahoo for not blocking it?

d) The hospital for not only allowing internet access from a computer with personally identifiable information, but for also allowing the spyware to get installed.

e) Some combination of the above?

f) Nobody. It was a failure of the "system", so nobody has to take responsibility.

If I were Judge Judy.... (1)

TapeCutter (624760) | more than 4 years ago | (#29463789)

....I would judge b) thru e) as incompetence, and a) as malice of forethought.

The woman is a careless victim, the patients are innocent victims, the hospital is a victim of it's own incompetence, the guy is a creepy bunny-boiler who got more than he bargained for when he deliberately hacked her computer.

If I were Judge Judy, after lecturing all three on their different styles of stupidity I would then award as follows...;
The hospital would get nothing in the way of compenstation and would be forced to come back in a month with a happy court appointed ipsec auditor.
The woman would at worst get a written warning from the hospital.
$30K, Three months, plus a GPS braclet for a year, plus costs would seriously fuck with the guys personal life, which seems fair punishment to me in an eye for an eye kind of way.
It's impractical to involve individual patients so the $30K would compensate the "patients" by seriously upgrading the box of broken plastic and tattered books that childrens wards euphemistically call their "toy box".

Not applicable to slashdot (1)

syousef (465911) | more than 4 years ago | (#29463161)

Your basement doesn't have an email account, and doesn't leave you when you treat it badly;-)

Enough for everyone (1)

QA (146189) | more than 4 years ago | (#29463207)

How did the .exe get through hmmm? Secondly, the machines should be locked down just a tad tighter one would think.

Lots of blame to go round on this one.

$33.000 in damages? (1)

El_Muerte_TDS (592157) | more than 4 years ago | (#29463227)

How did they get to that number? Removing spyware isn't that expensive. For that money you could even replace a bunch of machines and trash the old ones.

Re:$33.000 in damages? (0)

Anonymous Coward | more than 4 years ago | (#29463287)

I haven't read the article, but I assume that's punitive, not compensatory.

Re:$33.000 in damages? (0)

Anonymous Coward | more than 4 years ago | (#29463757)

I agree, that's the first thing I thought too.

Re:$33.000 in damages? (4, Insightful)

malkavian (9512) | more than 4 years ago | (#29463821)

Forensics, identifying exactly what the spyware was, conducting a thorough scan of all the network to see if it had spread, identifying what data was transferred, the infection vector, the administrative overheads of stopping the normal work to call an 'emergency situation' in which the sysadmins will concentrate on this exclusively, possibly not doing other maintenance work, or systems commissioning thus holding up medical projects (with the cost to them too).
Administrative time throughout the hospital, as a fair part of the management chain will have this as a high profile to concentrate on, police liaison (and having time to have them on site to investigate in situ, and having technical staff support them), communications time to liaise with press, people to field the phone calls that come in, extra load on the patient support lines to cope with frantic patients who aren't in the best state of mind anyway after suffering cardiac problems, who are now worrying about what of their information is in the wild.. That's the tip of the iceberg by the way.
Begin to see how that racks up to the big numbers? The machines aren't the expense, they're practically disposable. Unfortunately, data isn't tangible, so the non-IT staff don't see this shiny big item, and thus (out of sight, out of mind) don't consider it worth spending money over. All they see is that clicking a button makes data appear. Magic. Doesn't take effort, so why do they need an IT team to make it work? They decide they don't, cut IT funding (or never put it there), and eventually something like this happens because there isn't resource to make a secure network. And when it does, who gets the blame? Even from supposed 'geeks' who are supposed to understand what it's like being in an intensive overstressed IT role?

Re:$33.000 in damages? (0)

Anonymous Coward | more than 4 years ago | (#29463897)

In America, damages don't mean how much the cost of the crime was, it's the amount of money they think the court will let them get away with.

Play stupid games... (1)

Nick Driver (238034) | more than 4 years ago | (#29463253)

...win stupid prizes.

wait, wha...? (0)

Anonymous Coward | more than 4 years ago | (#29463257)

Wait, why did the not have sufficient protection against this? Let this be a lesson to the hospital.

Not a Prank (4, Informative)

pz (113803) | more than 4 years ago | (#29463271)

The article's title is "Spyware Prank Exposes Hospital Records".

The actions described are not a prank. They are serious, and illegal by many standards. If the accusations are true, the fellow deserves everything thrown at him. The article's title should be changed to reflect the severity. Installing spyware to keep tabs on your ex-GF is not a prank. It's stalking.

Re:Not a Prank (2, Interesting)

umghhh (965931) | more than 4 years ago | (#29463447)

why is this that fellow that is responsible for getting the records - this was obviously not his goal and if he is charged for it then it is just laughable. OTOH he is responsible for attempting to invade his Ex's privacy and that is serious enough to get some sort of punishment but why is the hospital getting the money - they are guilty of criminal negligence in handling patients' data so they should be paying not getting paid.

to me it looks like one more example of justice system malfunctioning. It is not a great malfunction but shows that punishment and the crime are matched not by the facts but by the random acts of gov. officials. Was it not something that american constitution tried to prevent?

Re:Not a Prank (1, Insightful)

Anonymous Coward | more than 4 years ago | (#29463647)

The man may be liable to pay the hospital damages because he actually caused damage to the hospital (albeit unintentionally - which should lessen the punishment for the act). He surely should get punishment, how much that's a matter of what is written in the law, and the opinion of the judge in the grade of seriousness of the crime (assuming it's a crime, not an offense - this is also written in the law).

On the other hand the hospital may be liable to pay damages to their patients whose details were exposed.

This is justice at work properly imho - the court case is about this man intentionally sending spyware to spy on someone, and managing to get it installed. It is not about the hospital breaching regulations.

I think we can all agree that the hospital was most certainly at fault AS WELL here for allowing such personal information to get out - but that should become a second court case; presumably initiated by either the government for breaching a government mandated regulation, or by a patient whose data got exposed. And in this case I'd call the hospital even very much at fault for allowing so open Internet access from a computer with such sensitive data on it.

Re:Not a Prank (5, Insightful)

coaxial (28297) | more than 4 years ago | (#29463705)

why is this that fellow that is responsible for getting the records - this was obviously not his goal and if he is charged for it then it is just laughable.

What the hell is this supposed to mean? Since when has committing a crime unintentionally ever been a defense?

"Oh officer! I wasn't INTENDING to kill all the cancer stricken orphans when I driving drunk, speeding, and firing my gun wildly! I just intending to disturb the peace!"
"Oh! Well, that's a horse of a different color! I'll let you go with a warning then. Just try and keep it down next time. People are trying sleep around here."
"Will do!"

but why is the hospital getting the money - they are guilty of criminal negligence in handling patients' data so they should be paying not getting paid.

1. It's criminal trespassing to access a computer without permission. Which he did by sending the spyware to someone with the intent to observe them.
2. The hospital didn't hand out the data. It was stolen. It's still theft even if I leave the door wide open. It wasn't his. He has it, as a result of his actions.

to me it looks like one more example of justice system malfunctioning. It is not a great malfunction but shows that punishment and the crime are matched not by the facts but by the random acts of gov. officials. Was it not something that american constitution tried to prevent?

The opinion of someone who is woefully ignorant of the law, the intent of the law, common law, and basic morality, but yet somehow is an expert on constitutional law.

It must be tough being so smart and surrounded by so many people that are blind to your brilliance.

Go home and cry in your Ayn Rand novel.

Re:Not a Prank (2, Informative)

Ihlosi (895663) | more than 4 years ago | (#29463941)

Since when has committing a crime unintentionally ever been a defense?

Um, always? Most crimes require intent. Some require merely negligence. If you're charged with a crime that requires intent, and intent cannot be proven, then you cannot be sentenced for it.

"Oh officer! I wasn't INTENDING to kill all the cancer stricken orphans when I driving drunk, speeding, and firing my gun wildly! I just intending to disturb the peace!"

1. You're not being charged with anything by a police officer. That's the job of the prosecutor. And you'd be stupid for saying anything like that to the police officer arresting you. Remember the Miranda rights?

2. Killing people is one of the few things that are a crime even if done negligently. However, there's a difference between murder and involuntary manslaughter.

Re:Not a Prank (3, Insightful)

Dhalka226 (559740) | more than 4 years ago | (#29463951)

Since when has committing a crime unintentionally ever been a defense?

Sometimes, but more importantly it is pretty much always a mitigating factor. Your hypothetical person would be charged with reckless homicide, not capital murder (DUI = felony, murder = felony, having a gun during commission of a felony = felony). It sounds like he killed enough people in the anecdote for the differences to be semantic, but it's not nonexistent.

Intent does matter. In this case, you can be pretty sure that's the reason the charge is only intercepting or conspiring to intercept electronic communications. They could easily have tacked on any number of unauthorized access/"hacking" charges.

1. It's criminal trespassing to access a computer without permission. Which he did by sending the spyware to someone with the intent to observe them.

Yeah, and? You said it yourself: criminal trespass. It's a government charge. The "victim" doesn't get the money. If they want to recover whatever it cost them to clean the systems and do whatever else it is they've done as a result of this, they can recover that via a civil action. And in any event, he wasn't charged with illegally accessing a computer system, he was charged with illegally intercepting electronic communication.

To the degree that the government is handing over the money, the question remains. I don't know if it's an unrelated out-of-court agreement with the hospital to avoid litigation, however. The wording in the article wasn't clear.

2. The hospital didn't hand out the data. It was stolen. It's still theft even if I leave the door wide open. It wasn't his. He has it, as a result of his actions.

True. The question is what exactly the software did and how it works. A hospital employee shouldn't be able to install software on a department's computers at all. So what happened? Is it just really good spyware, able to avoid all the protections they had in place? Or is it that they didn't have any protections in place at all? Did the employee specifically download and run the attachment, regardless of what she thought it was? Or was it something that simply installed itself?

The answers to those questions don't matter in terms of what the man did, but they do matter. There are extremely strict laws on the books about protecting patient data. If this is a symptom of their failure to do so, they could easily end up on the wrong side of legal action by either the government or the patients whose data was disseminated. I've no doubt that's what the OP was referring to when he said they should be paying, not getting paid. We don't have all the facts by any means, but it sounds like their security on systems capable of accessing patient records was spotty at best. That shouldn't be any more acceptable than what the man did.

The opinion of someone who is woefully ignorant of the law, the intent of the law, common law, and basic morality, but yet somehow is an expert on constitutional law.

Basic morality? Really? What he did was undoubtedly wrong, and he should be punished. But do you really think it's a felony? Should he really be locked up for five years because of it, in addition to a $33,000 fine? For the average American, $33,000 is essentially a year's worth of labor for free. That's a pretty hefty punishment all by itself. Five years? That's the sort of sentence we hand out for burglary or aggravated assault. This is not a man who is a danger to society. At this point we're left simply to hope that the judge is reasonable and there is sufficient leeway in the federal sentencing guidelines that this doesn't turn into a total miscarriage of justice. Surely justice counts among the intent of the law and basically morality, doesn't it?

Maybe I'm one of these left-wing softy types, but what this guy needs more than anything--far more than jail time or $33,000 fines--is a psychologist. Somebody who was pretty obviously dumped by his girlfriend and immediately thinks "hey, I know! I'll spend $120 to buy a program to track her every online move!" is in a pretty shitty emotional place. Chances are there are other underlying issues as well. He should be punished, but not destroyed.

Couldn't happen here... (5, Interesting)

Nomaxxx (1136289) | more than 4 years ago | (#29463275)

In Belgium, many of the hospitals have most of their computers running Linux...

Re:Couldn't happen here... (0)

Anonymous Coward | more than 4 years ago | (#29463465)

In Belgium, many of the chocolate factories use Gnome(s).

Re:Couldn't happen here... (1)

horatiocain (1199485) | more than 4 years ago | (#29463535)

Good job, Belgium! In the US, it's *entirely* windows for hospitals. The only exception is those facilities that are still using mainframes and dumb terminals. Terrifying, really.

Re:Couldn't happen here... (1)

velen (1198819) | more than 4 years ago | (#29463639)

Great. Now get some of those vendors to translate their solutions to English and post it for sale outside of Belgium. Software in Dutch for Linux, hmm...

Re:Couldn't happen here... (4, Insightful)

wvmarle (1070040) | more than 4 years ago | (#29463673)

I'm sure there exists spyware for Linux as well.

It is a lot harder to get an executable sent over e-mail to run on the system, but it is still possible. Running Linux does NOT make one immune against this kinds of attacks.

I'm quite sure Linux is easier to secure than Windows, the core error this hospital made was not as much running Windows, as not closing off all access to the Internet. It just doesn't go together with sensitive patient data. Those Linux computers your Belgium hospitals are working with also should be shielded thoroughly from the open Internet.

Re:Couldn't happen here... (2, Insightful)

Deanalator (806515) | more than 4 years ago | (#29463681)

Except that there are plenty of keyloggers, trojans, rootkits etc for linux as well, open source and commercial. Remember that when kiddies scan for weak php code, they will land on a linux box at least 90% of time time.

Re:Couldn't happen here... (1)

coaxial (28297) | more than 4 years ago | (#29463715)

In Soviet Russia Linux runs YOU!

Re:Couldn't happen here... (1)

Engeekneer (1564917) | more than 4 years ago | (#29463723)

This might help for now, but if - like it seems - linux is getting more widely used, it will get it's fair share of malware too, well there already is a bunch. What the hospitals need to do is not trust that the operating system is completely secure, but secure their systems independent of the OS used. Come on, allowing that level of general internet access from a computer that handles patient information? Why not put the info on an USB stick and just forget it somewhere.

Re:Couldn't happen here... (1)

Ronald Dumsfeld (723277) | more than 4 years ago | (#29463765)

In Belgium, many of the hospitals have most of their computers running Linux...

Unfortunately, it doesn't mean 'apt-get cure-for-cancer' works.

I hope the woman lost her job as well... (0)

Anonymous Coward | more than 4 years ago | (#29463307)

Shouldn't be opening personal e-mail at work, on corporately owned computers.

Anonymous Coward (0)

Anonymous Coward | more than 4 years ago | (#29463341)

this says enough about the state of health care in the U.S., if you haven't noticed.. most of the time, the staff is doing absolutely nothing while people are waiting for them to move their ass to grab some paperwork.

i welcome reform.

this opinion is owned entirely by me but should be your opinion too.

MS Windows Doesn't Work (0)

Anonymous Coward | more than 4 years ago | (#29463343)

I have uttered this before and been made fun of for it... but non-the-less I'm gong to say it again. MS Windows does not work. Despite that it is consistently used all over the place MS has failed to produce a solution that isn't prone to constant failure and problems. Maintenance is costly and even when maintaining security tends to fail to protect the system.

Pretty Steep (1, Funny)

Anonymous Coward | more than 4 years ago | (#29463345)

That's quite a lot of money and jail time. Good thing he didn't download a song, then he'd REALLY be in trouble.

What could be worse (1)

zlel (736107) | more than 4 years ago | (#29463427)

What could be worse than a bad breakup?

odd (4, Insightful)

wizardforce (1005805) | more than 4 years ago | (#29463435)

does anyone else find it odd that the real damage was done to the patients and yet the hospital is being compensated for damages and not the patients? wouldn't the hospital also be liable for the damages considering that theri IT department failed to put up reasonable protection?

Re:odd (1)

Idiomatick (976696) | more than 4 years ago | (#29463603)

The company always wins, think of the court system like Vegas, corporations are the house.

In this case a guy commited an offense against his ex.
It ended up hurting her hospital's patients.
Half the blame should go to the hospital for breaking the rules set up so this should be impossible.
Possibly to the girl as well if she violated company policy in getting the email.
In the end the hospital gets the money.

Re:odd (1)

Idiomatick (976696) | more than 4 years ago | (#29463625)

In reality the girl should be suing the guy for attempted stalking or w/e maybe just get a restraining order. And the patients should be suing the hospital for allowing such a breach in security. And if the girl broke company policy the hospital should be firing/charging the girl.

But that just makes too much sense...

Re:odd (3, Insightful)

malkavian (9512) | more than 4 years ago | (#29463779)

The hospital will be compensated for material damages. They are bound by law to inform the patients that their data has been released. Those patients will take up law suits against the hospital, which will be investigated, and they will recieve large amounts of compensation.
Odds on, if you look at the structure, you'll see the IT dept is over worked and under funded, so the real responsibility lies with the Directorate of the hospital, penny pinching on a department they don't see as shiny enough to be well funded.

Why is this on the same network? (1)

228e2 (934443) | more than 4 years ago | (#29463519)

Correct me if i am wrong, but medical records like this should not even be on the same network that connects to the outside. Corporations everywhere have dedicated intranets for such private matters along with a public internet that is 100% unconnected to the internal system. Poor poor poor structure from top to bottom.

Who are they punishing??? (1)

rew (6140) | more than 4 years ago | (#29463847)

Why don't they fine the guy $100 for trying to spy on his girlfriend, and why don't they fine the woman $50,000 in damages and fire ther for violating hospital security procedures (at least two of them: viewing private Email on work computers, clicking on executable attachments)?

Why don't they fine the hospital $1Million for not properly protecting the privacy of their patients?

Did the guy intend to spy on the medical procedures of those patients? No!

Suppose you're walking around as a tourist somewhere happily shooting pictures of the landmarks with your expensive new 24 megapixel camera with 400mm zoom lens. So you shoot a picture which say captures some trade secret. Now do you get thrown in jail for industrial espionage?

It is completely different if you specifically buy that camera and lens with the intent to take those industrially sensitive pictures, and especially position yourself in a way that you can photograph the competitions board room.

Offtopic (0, Offtopic)

Exception Duck (1524809) | more than 4 years ago | (#29463895)

We need to automatically post the top story of the day 4,5,6 years ago from now, you could use.
Take the most commented story on those 3 days in question, repost it.

Also why doesn't /. work on chrome, the +- thingy appear at the bottom of the story.

Excusable behavior (1)

amn108 (1231606) | more than 4 years ago | (#29463917)

Seems like everyone is discussing the more technical details of this incident. I, for one, am much more "interested" in the moralistic side. I find it lowlife that this scumbag could not be a man enough to realize the woman wanted to fuck someone else, and was so desperate as to reduce himself to a stalker, and not even a stalker that you can actually identify as a stalker, but a stalker that is himself "stealthy". After all, planting spyware, provided you don't get caught, does not get more anonymous than that. Wussy. Then again, our "human nature" takes the best of us every single time. Practically, the five disturbing feelings (after Buddhas terminology) - jealosy, anger, pride, ignorance and attachmen/desire - rule our societies.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>