So there’s a bit more to the incidents recently disclosed by Jefferson Medical Associates that I had reported here.
Now WDAM reports that it was Chris Vickery who had discovered a misconfigured database and had alerted JMA. For their part, JMA is pretty much accusing Vickery of hacking them. Here we go again….
From WDAM’s report:
“I was just going through randomly looking at the publicly available, configured for public access databases on those ports, and this one showed up,” he said. “When I realized there social security numbers and names and phone numbers and prescription information, it dawned on me that ‘hey this probably should not be public if it is real data.’ So then I started the process of trying to figure out whose it was.”
Jefferson Medical said Vickery was an unauthorized individual who shouldn’t have had access to that information.
“This information is private information,” said Katie Gilchrist, Jefferson Medical’s legal counsel. “It’s federally protected information. It’s information that was on our server. This individual accessed it without our permission. He did in secret. There has never been a time when patient information in Jefferson Medical’s possession has been just out there for anyone to get to.”
Vickery agrees he shouldn’t have had access and said that’s why he alerted the clinic to the hole in its security.
“It was as available as a website is,” Vickery said.
Gilchrist said, “Basically it’s like leaving a window unlocked in your house. You leave the house, and you leave a window unlocked. These folks out there think that entitles them to come into the house and look around at all your stuff and then take things with them when they leave. That’s just not appropriate.”
Vickery said this isn’t a hack because the information was readily available to anyone who knew where to look.
[…]
JMA and Vickery also disagree on how extensive the breach was:
Gilchrist said about 10 percent of patients’ information could have been compromised, which she said was about 10,000 people. However, Vickery said he saw as many as 62,000 records in the database.
“If they’re saying there are only 10,000 entries, they’re trying to claim there were a lot of duplicates.”
Read more on WDAM.