At least tens of thousands, if not millions of medical records of New York patients were until recently readily accessible online to just about anyone who knew how to look.

Patient demographic information, social security numbers, records of medical diagnoses and treatments, along with a plethora of other highly-sensitive records were left completely undefended by a medical IT company based in Louisville, Kentucky. The files, which belong to at least tens of thousands of patients, originate from Bronx-Lebanon Hospital Center in New York.

In a statement provided to Gizmodo—and published by NBC News Wednesday night—Bronx Lebanon said that a server containing its patients’ data had been the “target of an unauthorized hack by a third party,” attributing that assessment to the hospital’s vendor, iHealth Solutions. The hospital added that iHealth had taken immediate steps to protect the data, and that both parties were “cooperating fully with law enforcement agents.” iHealth Solutions did not respond to request for comment.

However, according to Kromtech Security Center, a German security software development firm, the leak was not the result of a malicious hacker infiltrating the Bronx Lebanon server. Instead, the firm’s analysis showed that the data was left unprotected on a backup storage device, without a password, accessible to anyone online. It also appears likely that the data was not protected by an active firewall, exposing an untold number of patients to crimes such identity theft and blackmail.
[…]
In March, Kromtech reported that more than 400,000 audio recordings of telemarketing calls had been exposed online, including many in which customers provided sensitive information, such as credit card details. A month before, the researchers helped secure the personal data of nearly 25,000 California sheet metal workers. Before that, it was a Missouri sheriff’s office, which had inadvertently leaked audio recordings of police informants of victims involved in crimes as serious as child molestation.

Source: Huge Trove of Confidential Medical Records Discovered on Unsecured Server Accessible to Anyone

Secure rsync, people!

“An ‘accidental hero’ has halted the global spread of the WannaCry ransomware that has wreaked havoc on organizations…” writes The Guardian. An anonymous reader quotes their report:
A cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and implemented a “kill switch” in the malicious software that was based on a cyber-weapon stolen from the NSA. The kill switch was hardcoded into the malware in case the creator wanted to stop it from spreading. This involved a very long nonsensical domain name that the malware makes a request to — just as if it was looking up any website — and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. Of course, this relies on the creator of the malware registering the specific domain. In this case, the creator failed to do this. And @malwaretechblog did early Friday morning (Pacific Time), stopping the rapid proliferation of the ransomware.

You can read their first-person account of the discovery here, which insists that registering the domain “was not a whim. My job is to look for ways we can track and potentially stop botnets…” Friday they also tweeted a map from the New York Times showing that registering that domain provided more time for U.S. sites to patch their systems. And Friday night they added “IP addresses from our [DNS] sinkhole have been sent to FBI and ShadowServer so affected organizations should get a notification soon. Patch ASAP.”

UPDATE: Slashdot reader Lauren Weinstein says some antivirus services (and firewalls incorporating their rules) are mistakenly blocking that site as a ‘bad domain’, which allows the malware to continue spreading. “Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I’m receiving!”

slashdot