So far only one media news outlet has followed up on this story - ZDTV
has managed to find out where the hospital is: Pontiac, Michigan. After
broadcasting this as the lead item in their nightly newscast, ZDTV found
that the dictating system was manufactured by Dictaphone and is apparently
used at hospitals all over the place. (If you know of such a system at
another hospital, please let us know so we can determine if private
patient records are vulnerable in other locations.) As of now, the
system in Pontiac is no longer reachable.
A simple scan of toll-free numbers has turned up a very disturbing item
and one which we fear may be all too commonplace.
Somewhere in the United States an insitution known as St. Joseph's
Mercy Hospital has confidential patient
records accessible on this number with NO PASSWORD or security of
any significance. The system allows doctors to dictate all kinds of
information about their patients, ranging from admitting/discharge
data, cardiac records, mental health records, and an almost unending
amount of personal information that SHOULD NOT BE PUBLICLY AVAILABLE!
Yet it is, and with every passing day more patient records are
being left out for anyone to examine.
This incredible security breach was reported on WBAI's Off The Hook
on September 21, 1999. We're still trying to find out which hospital
this system belongs to. Because of the sensitive and private nature
of this system, we're not disclosing the toll-free number as that would
inevitably lead to patient records being altered or erased since there
are no passwords on the system. However, we are publishing audio files
that show just how much private information is available to anyone
with a touch tone phone. Out of respect for privacy, we are bleeping
out names and personal info. We will continue to add files to this
collection until the system is fixed.
Perhaps this action of ours will anger some people. We hope it does.
And we also hope they direct their anger at the proper target - namely
the people who design systems so wide open that anyone in the world
could do what we did. Hackers don't create these problems - they
discover them. Many times though, hackers get the full blame. But in a case
like this, we believe that staying quiet would be almost as bad as betraying
these patients' privacy by operating such a shoddy system.
As promised, the following RealAudio clip is of a call to this number. Certain touch tones and names have been beeped out to protect the innocent, others have been left in to damn the guilty. Long silences have also been edited out.
Download RealAudio clip
Stream RealAudio clip