University Health Center Hacked – Well Really Alumni Relations

Posted on June 7, 2006 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Not too long ago I ran accross an article that talked about Ohio University’s server being hacked and in a hackers hands for a long period of time. I honestly don’t think this is really all that common. In fact, after working with a friend of mine in college who was excellent at hacking I think this happens a lot more than we ever realize and definitely more than ever gets published. Not that the practices of this article are acceptable, but I don’t think we should be naive.

Many may be wondering what a University getting hacked is doing on an EMR and HIPAA blog. Well, read this quote from the article:

How a server could be left open to intruders is still under investigation. But this much is known: A server supporting the alumni relations department was supposed to be offline, Sams said. The people responsible for shutting it down thought they had done so. The server continued to be connected to the Internet but didn’t receive security updates. It was the equivalent of leaving a backdoor open for thieves to walk in and seize what they wanted.

The culprits who broke into the other two servers made off with health records belonging to students treated at the university’s health center, as well as Social Security numbers of an additional 60,000 people.

Does this really make sense to any rational person? What is a student’s health record doing on a server supportint the alumni relations department? Not to mention on a server that someone isn’t updating. At the rate that Windows puts out updates I think we are all guilty of sometimes being a bit lazy in our updating policy. However, to forget about the machine and think it is shutdown is ridiculous. That has HIPAA violation and HIPAA lawsuit written all over it.