Web Application Security Consortium - Web hacking Incidents Database (WHID)

Reported: 30 July 2007
Occurred: 25 July 2007

Classifications:

Attack Method: Insufficient Authentication
Country: USA
Outcome: Leakage of Information
Vertical: Health

In a classic case of lack of proper separation between the production and development sites, an application under production with lack of proper authentication and authorization was installed on a hospital's public web site, enabling anyone to query a database of 51,000 names, addresses and social security numbers.

References:

Data lapse involved 51,000, St. Vincent says
News Story, Indy Star, 25 July 2007

WHID 2007-07: Westerly Hospital data breach affects 2,000

Reported: 29 March 2007
Occurred: 02 March 2007

Classifications:

Attack Method: Unintentional Information Disclosure
Country: USA
Outcome: Leakage of Information
Vertical: Health

Personal information about 2,000 patients was mistakenly published on the hospital's web site. The leakage was discovered only when a patient found her information when "Googling" herself.

The information included personal data such as social security numbers, birth dates, address, phone number, insurance numbers and in some cases the reason for the visit.

References:

Westerly Hospital data breach affects 2,000
News Story, Providence Business News, 02 March 2007
Patient Data Incident
Vistim's Report, , 05 March 2007

This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.