By Tim Wilson
June 3, 2008
Peer-to-peer (P2P) applications may have been the culprit in a security
breach that has exposed the personal information of more than 1,000
patients at Walter Reed Hospital, according to early reports.
Names, Social Security numbers, birth dates, and other information was
exposed through a single computer file, hospital officials said Monday.
The file did not include information such as medical records, or the
diagnosis or prognosis for patients, they said in an Associated Press
The officials declined to discuss the nature of the breach with AP,
citing an ongoing investigation. However, according to an industry news
report , Col. Patricia Horoho, commander of the Walter Reed Health
Care System, posted a Website message yesterday which suggests a
potential P2P leak.
"I need everyone to ensure that they are not loading or downloading
programs that are not authorized by the command as it increases our
vulnerability and possibly can cause a breach in protected information
being shared," the message said. Horoho's message has since been pulled
from the Walter Reed site, but the trade journal managed to get a screen
capture  before the message disappeared.
The medical center learned of the breach on May 21 from an outside data
mining company, which officials did not identify. They said the company
was working for another client, found the file and contacted Walter
The hospital said it is working to notify all of the people named in the
data file. Letters or emails were being sent out, beginning Monday.
Officials declined to say how many patients were from Walter Reed and
how many were from other military hospitals.
The chairman of the House Armed Services Committee, Rep. Ike Skelton,
D-Mo., said he wants to hear from the Army about its investigation.
"It's very troubling when private data is inappropriately released,"
Skelton said. "We must ensure that personal information is protected and
prevent any future compromise of patient records."
Several other high-profile breaches have occurred via P2P, which is
often used to share music or video files without paying a royalty fee.
In the past year, Citigroup subsidiary ABN Amro and pharmaceutical giant
Pfizer have both been breached via P2P. (See P2P Leads to Major Leak at
Citigroup Unit  and Pfizer Falls Victim to P2P Hack. )
But experts are also quick to point out that there is a growing base of
technology that can detect potential P2P leaks and help close them
before a compromise occurs. While companies such as Lumension offer
off-the-shelf tools, there also are some techniques enterprises can use
to prevent users from exposing data via P2P. (See Tech Insight:
De-Fanging P2P. )
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com