By Kevin Poulsen
July 25, 2006
Georgetown University Hospital suspended a trial program with an
electronic prescription-writing firm last week after a computer
consultant stumbled upon an online cache of data belonging to
thousands of patients, Wired News has learned.
The leaked information included patients' names, addresses, Social
Security numbers and dates of birth, but not medical data or the drugs
the patients were prescribed, says Marianne Worley, a spokeswoman for
the Washington, D.C.-based hospital known for providing emergency care
to the nation's most powerful political figures.
The hospital had securely transmitted the patient data to
e-prescription provider InstantDx. But an Indiana-based consultant
accidentally discovered the data on InstantDx's computers while
working to install medical software for a client.
"The initial investigation has found that no patient demographic data
was inappropriately used," says Worley, who says between 5,600 and
23,000 patients were affected. She added that the hospital learned of
the breach when Wired News contacted it last week.
E-prescribing allows doctors to write and renew drug prescriptions
electronically and transmit them to participating pharmacists for
fulfillment. The Georgetown trial had been under way for less than
eight months, and involved fewer than 10 doctors.
The breach highlights the liabilities of sharing private medical
records with third parties as the industry crawls toward electronic
record keeping. A survey by the Centers for Disease Control and
Prevention released last week found only about 24 percent of doctors
used some electronic health records in 2005, and only 11 percent had
gone entirely digital.
The Bush administration has set a goal that most Americans have
electronic health records with privacy protection by 2014 -- and
electronic prescription-writing is the killer app, says Peter Swire, a
law professor at Ohio State University and former Clinton
administration privacy czar.
"E-prescribing is a leading sector for electronic health records,"
says Swire. "Improper medication lists are by far the biggest source
of medical errors -- there's drug-interaction problems, there's
incorrect dosage problems. The single biggest saving from e-health is
The incident also underscores increasing exposure for security
professionals who discover and report flaws. Bug-finders have recently
lost jobs or faced criminal prosecution for going public with their
discoveries, and the incident, with certain details obscured, was the
topic of a brief but lively debate on the risks and rewards of
disclosure in the computer security community.
Maryland-based e-prescription firm InstantDx was quick to accept
responsibility for leaking the Georgetown file. The company wouldn't
say whether other hospitals and doctors' offices were represented in
the vulnerable files, but said that its systems have been secured.
InstantDx chairman and CEO Allan Weinstein describes the incident as
"a one-time quirk."
The consultant responsible for the discovery, Goshen, Indiana-based
Randall Perry, says bad security practices contributed heavily to the
incident. Perry says he accessed the data using a password he
discovered hard-coded into a popular medical practice application,
where any moderately skilled user could retrieve it.
"This is just security through obscurity," says Perry. "My home
network is probably 10 times more secure than what they have set up
Called Medisoft, the application is an all-in-one medical office suite
marketed to small practices, and capable of handling everything from
patient appointments to sending out bills. According to the product
website, it's used by 70,000 health care practitioners worldwide.
Amber Virgillo, spokeswoman for Per-Se Technologies, Medisoft's maker,
wouldn't comment on the incident, but insists the company's products
meet "high security standards."
The issue emerged when Perry configured a new laptop for a small
doctors' office, and encountered problems downloading software updates
for Medisoft. In search of a work-around, Perry dove into the
software's components, where he found an internet address, a login
name and a password for a server operated by InstantDx, a Medisoft
Using the password, Perry connected to the server with a file transfer
program and listed the contents of the directory -- hoping to find the
software updates that prompted his digital sleuthing, he says.
Confounded by the obscure file names that popped up, he executed a
command that sucked down the entire contents of the directory -- which
he describes as 2 GB of files.
When he looked at one of the files, titled GUHmedpts.csv, he was
shocked to see thousands of entries for patients in the Washington,
D.C., area -- far from his client's office. He Googled "GUH," found it
was a common abbreviation for Georgetown University Hospital.
Georgetown University Hospital does not use Medisoft, but did use
InstantDx's prescription system.
"It slowly evolved -- what it really was -- and that came to a very
somber reality," Perry says. "It's a huge breach.... I wasn't even
trying, so how about the people who are trying?"
Uncertain how to proceed at a time when companies and government
prosecutors are increasingly willing to go after people who identify
security holes, Perry sought advice July 3 from the Full Disclosure
computer security mailing list -- an unmoderated, freewheeling forum
shared by hackers and security professionals.
In an anonymous post that omitted the name of the hospital and
companies involved, and deliberately misstated some of the details,
Perry fretted about the potential consequences of telling Per-Se or
InstantDx about the problem. "And if these companies are notified,
what happens?" he wrote. "A slap on the wrist? Wash it under the rug
and label the person discovering it all to be a Black Hat?... In the
end, I feel bad for the ... people who can be totally raped of their
identities.... But, why should I be the scapegoat for pointing out
that the Emperor has no clothes?"
The message ignited a fiery debate over the July 4 holiday, with
varying and conflicted advice: He could report the discovery
anonymously, but InstantDx's server logs would quickly identify him.
Some urged caution. "Don't waste your time," one poster advised. "At
this point you risk being arrested and blamed for this finding, rather
(than) commended (for) finding it."
Nearly two weeks later, in the early morning hours of July 16, Perry
called the InstantDx help desk. "Randall called our call center at
2:30 in the morning on Sunday," says CEO Weinstein. "And our call
center ... immediately notified the technology team."
The company says it acted quickly to take the GUHmedpts.csv file off
of the server.
InstantDx attorney Robert Hudock, an e-health specialist at the
Washington, D.C., firm Epstein Becker & Green, says two separate
weaknesses conspired to create a security hole for a brief period of
time, and that no malicious activity resulted. He emphasizes that
Perry couldn't have accessed the data if he hadn't gone poking around
"Randall is the only player in the deck here," says Hudock. "He was
entrusted with a secured copy of the application that had been
appropriately licensed and installed, and he was working ... (as) a
consultant for this particular physician.
"This vulnerability wouldn't have happened if the consultant to the
physician had stuck to his responsibilities as a business associate of
the physician," says Hudock.
Mark Rasch, vice president of Solutionary and a former Justice
Department cybercrime lawyer, says the company's response smacks of
killing the messenger.
"One of the biggest problems you have is people inadvertently stumble
upon security vulnerabilities, and frequently it's because they're
trying to get their job done," says Rasch. "And what we do now is say,
'He did something wrong. He shouldn't have been there. Let's go after
him.' How does that encourage people to report vulnerabilities and get
them fixed? What they should do is give him a $10,000 finder's fee."
Reached for a follow-up interview Monday, Perry said he could no
longer discuss the incident, having signed nondisclosure agreements
with the hospital and InstantDx.
"It seems like they're trying to blame me for this, and it's left a
very bad taste in my mouth for the whole experience," he says. "If I
found something again, I doubt very much that I'd ever report it. It's
not worth it."
Swire says the leak of customer information might run afoul of HIPAA,
the federal electronic medical record keeping law, but that the
organization in charge of enforcing the law's privacy protections has
not been fiercely active.
"There's over 20,000 HIPAA complaints to (the Department of Health and
Human Services), but zero civil enforcement actions so far," says
Swire. "If HHS refuses to enforce the law, then medical organizations
will be less careful with patient data.... I believe that will make it
harder to do the next shift towards electronic medical records."
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.