67

u/nicuramar 1d ago

Well, if you kill someone by accident it’s definitely a different punishment than if it’s deliberate. 

37

u/frenchtoaster 1d ago edited 1d ago

If you are negligent and it kills someone it's an accident and still pretty heavily punished though. If you kill someone by accident, cover it up and then get discovered it's considered nearly as bad as killing someone on purpose.

Negligently leading to the leaking of the data should be 1/4th of the punishment of publishing it intentionally, but it's not. And leaking it and covering it up / not reporting it should be punished as heavily as deliberately publishing it.

-4

u/GreyDeath 1d ago

The difference is that in this case the employee was tricked into leaking the data. There's really not an equivalent where you are tricked into killing someone. Being punished for killing somebody accidentally still requires you to do something that would be punished even if you didn't kill someone because that activity is inherently wrong, like reckless driving.

28

u/frenchtoaster 1d ago

The capability for an employee being able to be tricked into opening the whole database is security negligence. Every company that I've worked at has had "insider risk" protocols and security systems that would make that impossible for millions of records to be exfiltrated, even if there is one malicious person, much less one tricked person.

This company cut corners, it's foreseeable and entirely inevitable that this leak will happen under the controls they had in place if one person being lied can possibly lead to a leak of sensitive data of millions of patients.

The tricked employee wasn't negligent, the company was very much so.

0

u/GreyDeath 23h ago

Every company that I've worked at has had "insider risk" protocols and security systems that would make that impossible for millions of records to be exfiltrated

You must work at an extraordinarily secure company. Good for you. But data breaches have occurred at tons of companies in all sorts of fields, not just healthcare.

Beyond that you're making it sound like it's the protocols developed by your IT that make data exfiltration possible, as opposed to the workers, in which case are you advocating that the hospital's IT team be punished or the worker that fell for the phishing scam?

In the end this sounds like punishing someone for not putting enough locks on their door after they were robbed.

9

u/unit156 23h ago

I think the correct analogy would be, punishing the leadership/management of a bank for saying they will protect your funds, and then not putting adequate locks/security in place.

So basically lying to you by placing your funds at risk via the weak link of a single employee. It would be appropriate for the company to be penalized for that.

While typing that out, it occurred to me that banks are insured so the average customer doesn’t have to worry too much about their funds being stolen.

So why isn’t it same for companies who use gather or utilize consumer data? Why aren’t we automatically paid each time our data is breached? Something to think about.

-2

u/GreyDeath 23h ago

punishing the leadership/management of a bank

You ever hear of a bank manager being punished for the bank being robbed?

So why isn’t it same for companies who use gather or utilize consumer data?

Because money is fungible in a way that data isn't. If I lose my money and the government gives me an equivalent amount I am made completely whole. If I have my data stolen there isn't a method of restitution. Bank insurance isn't a means of punishing the bank, it's a means of restitution for the customer.

6

u/unit156 22h ago

The OPs post is about a data company that was breached via the weak link of a single employee who was tricked. It wasn’t robbed like an armed robbery or forced break-in at a bank.

So let’s stick with analogies to the OP post situation.

0

u/GreyDeath 22h ago

It wasn’t robbed like an armed robbery or forced break-in at a bank.

The means of robbery shouldn't make a difference. It was robbed by the people who stole the data. And a bank is robbed by having an employee be scammed is still a robbed bank.

So let’s stick with analogies to the OP post situation.

I would argue that the comparisons being made to manslaughter then aren't apt either.

1

u/RollingMeteors 20h ago

You ever hear of a bank manager being punished for the bank being robbed?

If the penalty was execution then there would be zero successful bank robberies.

0

u/GreyDeath 19h ago

Doubtful. The death penalty has never been found to be an effective deterrent.

→ More replies

1

u/_catkin_ 16h ago

If a bank or anyone else failed to take reasonable security steps, we might expect or wish to see punishment for that negligence. Banks do appear to take physical security pretty seriously.

0

u/GreyDeath 16h ago

They do take physical security seriously. Sometimes banks still get robbed. The Bank CEOs don't go to jail when that happens.

3

u/RollingMeteors 20h ago

But data breaches have occurred at tons of companies in all sorts of fields, not just healthcare.

That simply occurring doesn't make them, 'not negligent'...

1

u/GreyDeath 19h ago

Sure, but you haven't determined that these breeches are due to negligence, and more importantly criminal negligence.

1

u/RollingMeteors 19h ago

An insecure infrastructure is pretty 'negligence' painted all over to me and everyone I'd image. Any of the IT folks here who have a W2 in the field would probably coroborate on that.

1

u/GreyDeath 19h ago

And which infrastructure is the one that is insecure? Is it the hospital's? The EMR's? How exactly did the malicious software export the data?

→ More replies

1

u/[deleted] 22h ago edited 22h ago

[deleted]

1

u/GreyDeath 22h ago

having the official policy be to leave the data out in public where anyone could walk away with it.

The data wasn't out in the open. Getting the data required the employee to download malicious software to access.

why they weren't up to standards.

What standards exactly?

2

u/[deleted] 22h ago edited 22h ago

[deleted]

1

u/GreyDeath 22h ago

A support employee having the power to be tricked giving the documents is the same as leaving the documents outside in person. 100% of tech support employees can be tricked, it's a total and firm guarantee that they will be.

The employee was not specified as a tech support employee and is referred in the article as a healthcare provider, which usually means somebody the deals with actual patients (doctor, nurse, physical therapist, etc).

The bare minimum expected security norms in the software industry in my personal experience.

OK, so there are no legal requirements so under what law would the IT workers of this hospital be punished under?

→ More replies

1

u/_catkin_ 16h ago edited 16h ago

In the civilised world there are legal responsibilities for keeping data secure. A business that fails to do so can be punished.

So, management/top brass take responsibility for ensuring good security protocols are in place + training.

This is standard for Europe.

In terms of who gets blame when a breach happens it’s going to depend on specifics. Employees each are responsible for not screwing up, but IT (usually now dedicated cybersecurity) also put stuff in place to increase security. It can be something like mandating encryption for all laptop hard drives. And management gets IT to do that + enforces training (for employees) and security practices.

1

u/GreyDeath 16h ago

Ok, so show me an example of a European CEO going to jail over a data breach.

2

u/XDon_TacoX 1d ago

But there's a punishment and it's not precisely a light one, now if you were to kill a couple dozen people by accident, idk home many thousands of people got their data sold breached, but I guess none of this matters when you are rich.

4

u/RollingMeteors 21h ago

and there should be a huge as fine and jail time; but if you confess a mistake nothing happens.

Penalties for civil violations

HIPAA violation: Unknowing

Penalty range: $100 - $50,000 per violation, with an annual maximum of $25,000 for repeat violations

HIPAA violation: Reasonable Cause

Penalty range: $1,000 - $50,000 per violation, with an annual maximum of $100,000 for repeat violations

HIPAA violation: Willful neglect but violation is corrected within the required time period

Penalty range: $10,000 - $50,000 per violation, with an annual maximum of $250,000 for repeat violations

HIPAA violation: Willful neglect and is not corrected within required time period

Penalty range: $50,000 per violation, with an annual maximum of $1.5 million

Criminal penalties

Criminal violations of HIPAA are handled by the DOJ. As with the HIPAA civil penalties, there are different levels of severity for criminal violations.

Covered entities and specified individuals, as explained below, who "knowingly" obtain or disclose individually identifiable health information, in violation of the Administrative Simplification Regulations, face a fine of up to $50,000, as well as imprisonment up to 1 year.

Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to 5 years in prison.

Finally, offenses committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000 and imprisonment up to 10 years.

¡Do away with annual maximums NOW!

¡I want to see one of these companies fined more money than was ever printed!

0

u/_catkin_ 16h ago

Are any of those ever enforced? What about when the breach was committed by a foreign national working from another country?

1

u/MRintheKEYS 16h ago

Russia is doing that right now with that plane that crashed.

2

u/chippywatt 1d ago

If they started jailing and fining for all data breaches, no one would report them, and the underlying bugs that caused them that might impact others would never get fixed. People are always gonna try to break in, it’s better that everyone collaborates to patch the holes as much as we can

5

u/s9oons 1d ago

No. That’s what well built development processes are for. Well structured systems don’t allow single users to make “honest mistakes” that expose 5.6 million patients data. You iron those things out BEFORE rolling out the system. This is like selling a video game and then letting the paying users find super exploitable bugs.

1

u/chippywatt 20h ago

I completely agree with you, I think this should be handled via class action lawsuit, with an amount that actually pays out what the patients are owed. All I’m saying is if we started creating rules where they’d be getting fined and jailed immediately, the behavior would change- no one would blow the whistle that could lead them to go to jail. We probably wouldn’t hear about half the issues that happen. They should definitely develop the software better, but humans are gonna human, there’s gotta be a bug arbitration process that incentivizes sharing issues rather than hiding in fear

1

u/According-Novel9156 1d ago

The ol “whoppies daises”

1

u/outthewazu 1d ago

Let's be clear. It was an "honest" mistake. If it was any other kind, then criticism would be warranted.

4

u/TacTurtle 12h ago

Please tell me all 10 of those were given mandatory retraining or fired.

1

u/isdanetworkdown 2h ago

Doctors mostly. Not even a reprimand

145

u/No_Accident2331 1d ago

I’m in IT—there’s no such thing as “enough training” for end users. You could have an email or website that literally said “Clicking here will steal your credentials and infect the computer!” and people will still click it.

77

u/notnotbrowsing 1d ago

my favorite was when I got a fake phishing email from IT to test whether we click links, and I forwarded it to the IT department like we're supposed to do.

the IT guy clicked the link and I got "hit" with failing the test and they tried to force me to take the anti-phishing class.

24

u/No_Accident2331 1d ago edited 1d ago

Maybe they wanted you to use the Report Phishing function? I don’t know what email platform you use but with Outlook when our security team sends out a test, when you click the Report Phishing button it will respond with something like “Good job. This was a test sent out by your security department.”

EDIT: I missed that your IT guy fell for it! 🤣😂 Not all IT guys are cut out for it.

2

u/notnotbrowsing 1d ago edited 1d ago

they do that now, not that I've received a test in years.  at that time we were instructed to forward to a specific email.

edit: for your edit  I was pretty mad because it took months and the IT director calling me before they agreed to unenroll me from the class. 

4

u/Greydusk1324 1d ago

I hate my IT dept for the phishing tests. I work in a position that exclusively uses email internally. My work computer is in a facility with limited access to the outside through multiple firewalls. My computer uses a stripped down web version of outlook that initially didn’t have the “report phishing” button until I complained to IT. I was getting marked down for not reporting the multiple test emails each week and they would assign remedial training. I got caught by a phishing email this week and written up by IT for more remedial training. The email that got me: I just had my yearly review with my boss and he told me he was going to send me the review for approval. That afternoon I got an email labeled from my boss with a link labeled employee evaluation but it was phishing by the IT dept. Fuck those guys.

5

u/No_Accident2331 1d ago

That’s horrible—sorry.

2

u/Miguel-odon 21h ago

Are they reading your actual e-mails, to better mimic them?

-1

u/Probably_a_Shitpost 23h ago

Hey fuck you buddy. It's not IT's fault blame yourself and idiot coworkers for doing dumb shit that makes regulatory bodies require we do that shit. We don't like phishing tests either.

2

u/Greydusk1324 17h ago

My IT dept does not come on site unless a major system goes down. They don’t get us the peripherals we need to do our jobs. They send remote training but don’t accept feedback on it. Their training specifically says verbal acknowledgment with a team member about emailed links is the preferred method. They send us software patches and explicitly state in the emails it’s not phishing just click the link. They can bugger off.

2

u/Probably_a_Shitpost 14h ago

Forgive me. I was drinking. I forget sometimes not everyone has a dedicated IT dept with folks who care. I'm sorry about your shitt IT situation and if there is anything I can help with, i'll give you a one time I will look into something for you provided you give a vague enough description of what's going on and I will solve it for you.

(Vague so I don't dox or know anything about you. Just say I'm trying to do x and x doesn't work.)

7

u/frenchtoaster 1d ago

To be fair, a qualified IT person opens the link on a fully patched Linux to see what the site (and knowing it's a probably phishing scam) is not really risking anything and is a good idea for them to decide next steps in case other people in the organization got the same email and probably clicked it.

1

u/ClickAndMortar 15h ago

Our IT has a “report phishing” button in outlook. We have to watch these stupid 20 minute videos of a series called “The Inside Man,” which based on the production value, must have cost a fortune. If you report an actual phishing email, you’ll get a message that the email was legit, since the report phishing button is intended to only be used to report fake phishing emails from the security consulting company.

For a company trying to teach employees to watch out for phishing attempts, they could at least send the phishing emails from different servers. I set up a rule in outlook to just look at the email header, then route everything from the consulting company into a single folder. I get my training reminders there as well as the fake phishing emails so I can watch for actual phishing attempts that IT will ignore.

-5

u/Illlogik1 1d ago

Forwarding phishing emails to anyone is akin to purposely sleeping with people knowing you have hiv ….

10

u/notnotbrowsing 1d ago

then they shouldn't have told me to forward it to them.

6

u/jlp29548 1d ago

One of these things is seriously not like the other.

15

u/codinginacrown 1d ago

Also in IT - users at my company are so scared to click on links because of the possibility that it might be a phishing exercise that they've stopped clicking on any links at all...and now other departments are complaining that people aren't doing surveys about IT service requests and employee engagement. Even if they put "This is not a phishing exercise" people still refuse to click links. It's kinda comical.

14

u/stevebr0 1d ago

As an end user, it’s actually kind of funny how often legit emails almost seem to go out of their way to emulate phishing emails. Our IT group sends an email when our passwords are about to expire including a “click here to change your password” link. And of course IT has its own subdomain email so at a quick glance (bc we don’t have time to pick apart emails like this) it’s a slam dunk “report phishing”.

6

u/codinginacrown 1d ago

That's the thing right? No one has the time to decipher whether something is legit or not, so it's easiest to just assume it's bad. Delete or report email and move on.

3

u/Alaira314 1d ago

And sharepoint has been going out of its way to train users to re-enter their credentials after following links in e-mails to shared documents. Eventually, people crunched for time stop doing all the checks, because it's been 50 times this month and they were all legit...and then that's the one that isn't.

0

u/No_Accident2331 1d ago

When you say company do you mean “government agency?” Because it sounds exactly the same at my office!😆 (DOI)

2

u/codinginacrown 1d ago

LOL nope but I'm not surprised!

3

u/ralphanzo 1d ago

As a nurse you aren’t wrong. I had a coworker who was written up and had to do a lot of retraining because she kept clicking on those test phishing emails. She became so nervous she asked me to look at her work email with her every time to make sure she didn’t click the phishing emails again.

5

u/badgersruse 1d ago edited 21h ago

See. There’s where you are wrong. There are some things that it just shouldn’t be possible for end users to do. Then no amount of user error would allow it. You (as a business) are thinking about this wrong, and that’s why a business that allows this should be fined within an inch of its life.

2

u/Masterofunlocking1 1d ago

Same here. It's insane the amount of stuff we see in our firewall logs that get blocked throughout the day, granted some of it could be legit and the firewall has it categorized wrong but still.

2

u/gbobeck 22h ago

I’m a former IT guy who moved over to infosec - you are 100% correct. My team in the past sent out phishing tests right which literally said “This is a phishing test. Click here for a surprise.” and we had end users click the link instead of reporting it using the Phish alert button. That campaign was sent out a week after the annual phishing training.

1

u/Illlogik1 1d ago

It’s true , especially in healthcare where the users are more concerned with saving lives and healing the sick over Internet boogeymen

3

u/[deleted] 1d ago edited 1d ago

[removed] — view removed comment

6

u/ChuckMcA 1d ago

Yeah. If a single user mistake can blow up your network, it’s a security problem not a user problem. Flat networks, untracked privilege and access are all too common.

4

u/Wistephens 1d ago

Agreed. You need to implement Zero Trust, where you automatically assume that everything is compromised and trust no user, device or request.

Trust No One Least Privilege Access Constant verification Treat every access as potentially compromised

Also, these healthcare orgs should be following HITRUST (45 CFR) to encrypt everywhere.

2

u/OnlineParacosm 20h ago

This is actually a cop out that hospitals use to avoid paying for security budgets.

They place the onus on workers to avoid being phished and it never works because there is always a threat actor more computer savvy than your hospital worker.

They need to invest an endpoint protection and it’s incredibly expenses

1

u/tdasnowman 16h ago

I don’t work for this company but I do work in healthcare. I’d say the problem might be too much training. People are probably being bombarded with low effort attacks and the obvious it phishing tests the really sophisticated ones can squeeze by. We just had an issue at work where an annual email was mass reported as phishing cause the company changed the domain. They had to resend that email, and at the same time we got some actual phishing attacks using that vendor’s template. Caused a lot of confusion largely because all the training we’ve had to do has people being hyper vigilant which also generally means you wind up missing something.

3

u/reflekt- 21h ago edited 21h ago

Phishthreat was like this at every single company I ever worked at. Huge percentages of people failed the simulated emails. One person claimed to open them on purpose and take the required quiz simply to print the award certificates for their cube as a joke. One email was titled “lost puppy in the parking lot” and 80% of people opened the attachment. This was at a Fortune 500 and the CEO actually sent an email scolding the entire building. People are fucking morons and the only thing that will fix that is the threat of firing.

2

u/Alaira314 1d ago

I can’t tell you how many people will just click anything you put in front of them if it seems anywhere remotely legit, and something they need.

As someone who's been punished at work for challenging something that seemed very suspicious but turned out to be legit...you bet I click. :

I'm not sure what world IT operates in, but it's not the one I'm in where we constantly get legitimate e-mails asking us to follow links and perform tasks, mostly for HR but sometimes for other departments, originating from external addresses. Or that are only in plaintext, with no salutation or signature. Or that are sharing a document with you, only to demand you authenticate with your e-mail and password, despite already being logged in to your account on that browser. These are all legitimate things I see regularly, and the one time I naively followed my shiny new training to report it I was very swiftly shown the error of my ways.

1

u/skerinks 22h ago

I get it, I really do. I was not always an IT guy. What you wrote is a failure of your company’s leadership. Within the story we see the consequences of not having a security-first mindset. I get that ‘operations’ is the whole point of being in business. I also say it’s criminal at this point in technology to not put security on the same level of operations. Aside from people’s personal information now on the dark web from this instance (we’ll just leave alone the argument that it was probably already there anyway), can you imagine the cost to remediate and the millions, maybe even billions, lost in revenue at Ascension because of this scenario?

3

u/dsgoose 1d ago

Can confirm.

7

u/cwpreston 1d ago

It's criminal how badly reimbursed the stateside contract workers they switched to are. Ten days PTO a year with no paid holidays? I still remember how some were panicking when they were told they had a week furlough for thanksgiving and two weeks for Christmas. Sure, some of the upper admins that came over from that org in California are making bank in bonuses because costs are down but overall the organization is really suffering, and they have sold off so many hospitals. Every time I went to a ministry for a project go live I got blasted by providers and staff saying they just didn't want to call the help desk anymore.

2

u/sea_stomp_shanty 16h ago

Americans love to talk about legality until they realize they’ve broken laws 😂🫡