Real World Risk Management Practical HR Resources
welcome
Are you a new user?
REGISTER HERE





RETRIEVE PASSWORD

Misconfigured Web Servers Lead To Breaches And Later To Liability

CorrectCare, a medical claims processing company, has agreed to pay a $6.49 million settlement following a data breach that exposed sensitive information of nearly 600,000 prison inmates.

The breach, caused by a misconfigured web server, affected inmates who received medical care between January 2012 and July 2022 in correctional facilities across Louisiana, Georgia, South Carolina, and California.

Under the settlement, eligible class members can receive up to $10,000 for unreimbursed out-of-pocket losses directly linked to the breach.

According to the source:

"CorrectCare failed to employ security standards commonly accepted among businesses and required by security standards of businesses that store protected health information and personally identifiable information and use the internet," the lawsuit alleged.

CorrectCare in a breach notice posted in November 2022 said it became aware of the exposure of information stores on its web server to the public July 6, 2022, and that the two directories may have been exposed as early as Jan. 2, 2022.

Among inmate data exposed were full names, date of birth, Social Security numbers, California Department of Corrections and Rehabilitation numbers, and certain health information, such as a diagnosis code and current procedure terminology code. https://www.govinfosecurity.com/600000-prison-inmates-to-share-in-649m-breach-settlement-a-26444 (Oct. 03, 2024).

Commentary

In the above matter, the source references that "two directories" may have been exposed, which supports the claim of "misconfiguration".

It is considered "misconfiguration" when sensitive directories can be accessed without credentials or with weak credentials, such as unchanged default passwords. 

A misconfigured web server is a web server that has not been set up correctly, leaving it vulnerable to security breaches. This can happen due to various reasons, such as using default settings, not updating software, or improperly setting access controls.

The final takeaway is that organizations should never take a server online until it is reviewed, configured, and certified to be secure.

Finally, your opinion is important to us. Please complete the opinion survey:

Misconfigured Web Servers Lead To Breaches And Later To Liability

A medical claims processing company owes $6.49M to 600K inmates because of a misconfigured server. We explain.

read more

Why Does This G-20 Nation Keep Sending Me Phishing?

The DOJ breaks up a Russian spear phishing campaign. We examine why spear phishing is still so effective. ?

read more

Survey Shows IT Pros Are Unable To Keep Up With Data Demands Over Security Concerns

Businesses need access to data to make good decisions, but too much security means data can often be overlooked. We examine the question of security versus data access.

read more

Decentralizing Data Using Cloud Networks Limits Cyber Attack Harm

A cyberattack on a city did not cause major problems because the city had taken proactive measures for just such an incident. We examine the steps taken to minimize damage.

read more

This site uses essential/technical cookies to function. Cookies allow us to provide the best experience possible and must be enabled to use this site properly. By continuing to use this site, you agree to our use of cookies. Please see our Privacy Policy or How to Enable Cookies for more information.

An error has occurred. We have been notified and are working to resolve the problem. Please return to the front page and try this action again later.

Error!

An Error has ocurred on this site.


The error has been reported to our programmers and we are working to correct it. We generally get errors fixed overnight, so please feel free to try this action again tomorrow.