Hospitals ponder security in the wake of the Verus online bill-payment debacle
Small mistakes can have big consequences.
Last April when a network technician working for Bellevue, Wash.-based Web content-management company Verus failed to set up a firewall properly as part of an online bill-payment service for hospitals, the mistake exposed patient data from at least a half-dozen hospitals across the country.
Until the mistake was discovered over a month later, patient information that had been stored by Verus on behalf of Concord Hospital in New Hampshire; St. Vincent Indianapolis Hospital in Indiana; Stevens Hospital in Edmonds, Wash.; and Sky Lakes Medical Center in Klamath Falls, Ore., among others, could be openly accessed on the Web. And it was, at least by Google bots that indexed it for search.
“Our data on about 9,200 patients was exposed for about five weeks on the Internet,” says Bruce Burns, CFO at Concord Hospital. “We were made aware it had been indexed by Google. We think a patient from Stevens Hospital was the first to discover it.”
Verus owned up to the security mistake but Concord Hospital, along with other medical-care institutions forced to explain the data breach to the public, dropped the Verus bill-paying service like a hot potato. Verus figured prominently in their press releases as the culprit behind the fiasco.
“We fielded 1,500 phone calls about this,” says Burns, who said the decision was made to discontinue the service after being notified of the data breach in June. Concord Hospital also hired a computer forensics firm to ensure the Verus servers were cleansed of the hospital patient data.
“We shut down the bill-payment feature instantly,” says Sky Lakes Medical spokesman, Tom Hottman, after being notified of the breach. Hottman said the Verus service required that the hospital’s patient-billing data reside live on a Verus server, which was apparently shared by nine or 10 other hospitals.
“The firewall security was apparently not re-established correctly and a Google bot got to search it,” Hottman says. He adds that the hospital had had a “good relationship” with Verus President and CEO Thomas Lawry and had used the Verus Web design services for nine years.
Both Concord Hospital and Sky Lakes Medical Center believe that the data exposed was restricted to patient name, address and Social Security number, but not medical data.
After the security breach for which it took responsibility, Verus shut down the medical bill-paying service. Though it had been in business since 1996, this July the privately held firm sent out a letter to former customers saying Verus was closing its doors.
Today, the Verus Web site has gone dark and no one answers the Verus phone, but a recorded message tells callers to contact MedSeek, a former competitor.
“We both started at the same time, though Verus had two lines of business, the online bill payment and the hospital content-management service, and we only do the second,” says David Levin, MedSeek’s vice president of marketing. “In the June time frame when they were having financial troubles and operating troubles they came to us because they didn’t want to leave 25 to 30 hospital customers in the lurch.”
MedSeek uses a different medical-application platform than Verus, but decided to license the necessary Microsoft Content Management Server software that Verus used, as well as make other investments, including hiring former Verus employees as contractors, to be able to support Verus customers that wanted to come on board as the Verus ship sank.
Attempts to reach Verus, including President and CEO Thomas Lawry, to learn whether the firewall fiasco is the straw that broke the camel’s back, weren’t successful.
In the wake of it all, hospitals are pondering the lessons learned and wondering how to go forward with technologies such as online bill payment that still hold appeal.
“We are investigating other services,” says Concord Hospital’s CFO Bruce Burns. But next time around for online bill payment, if there is one, the hospital wants to look at how audits or other security controls should be included as part of a third-party services.
“What assurances can I show to my audit committee about these third-party services?” says Burns. “We need to better understand what’s entailed.”