Misconfigured Web Servers Lead To Breaches And Later To Liability

January 9, 2025

CorrectCare, a medical claims processing company, has agreed to pay a $6.49 million settlement following a data breach that exposed sensitive information of nearly 600,000 prison inmates.

The breach, caused by a misconfigured web server, affected inmates who received medical care between January 2012 and July 2022 in correctional facilities across Louisiana, Georgia, South Carolina, and California.

Under the settlement, eligible class members can receive up to $10,000 for unreimbursed out-of-pocket losses directly linked to the breach.

According to the source:

"CorrectCare failed to employ security standards commonly accepted among businesses and required by security standards of businesses that store protected health information and personally identifiable information and use the internet," the lawsuit alleged.

CorrectCare in a breach notice posted in November 2022 said it became aware of the exposure of information stores on its web server to the public July 6, 2022, and that the two directories may have been exposed as early as Jan. 2, 2022.

Among inmate data exposed were full names, date of birth, Social Security numbers, California Department of Corrections and Rehabilitation numbers, and certain health information, such as a diagnosis code and current procedure terminology code. https://www.govinfosecurity.com/600000-prison-inmates-to-share-in-649m-breach-settlement-a-26444 (Oct. 03, 2024).

Commentary

In the above matter, the source references that "two directories" may have been exposed, which supports the claim of "misconfiguration".

It is considered "misconfiguration" when sensitive directories can be accessed without credentials or with weak credentials, such as unchanged default passwords. 

A misconfigured web server is a web server that has not been set up correctly, leaving it vulnerable to security breaches. This can happen due to various reasons, such as using default settings, not updating software, or improperly setting access controls.

The final takeaway is that organizations should never take a server online until it is reviewed, configured, and certified to be secure.

Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

What Percentage Of Your Workforce Is Highly Sensitive? You Make The Call

A study focuses on "Highly Sensitive Persons" in the workplace. We want to know how many are in your workplace. You make the call and join the conversation.

Executive Order 11246 Rescinded: Impact On Healthcare Organizations

U.S. Department of Labor has used Executive Order 11246 to address discrimination in federal contractor practices for years. However, the EO was recently rescinded. We examine.

Complicated Embezzlement Scheme Involving Employer Donations: What Lessons Can Employers Learn?

Apple employees are charged with a serious crime regarding a matching donation program for charities. We examine the scheme and discuss how it can be prevented.

Are Employers Too Lenient When Enforcing The Rules? You Make The Call

A new survey claims that an overwhelming number of younger employees are okay with breaking the rules. Is that okay with you? We want to know.

Data Preservation Best Practices Must Be Learned And Earned

Employee weak security practices put workplaces at risk. How can employers share some of the burden to improve data security?