Misconfigured Web Servers Lead To Breaches And Later To Liability

January 9, 2025

CorrectCare, a medical claims processing company, has agreed to pay a $6.49 million settlement following a data breach that exposed sensitive information of nearly 600,000 prison inmates.

The breach, caused by a misconfigured web server, affected inmates who received medical care between January 2012 and July 2022 in correctional facilities across Louisiana, Georgia, South Carolina, and California.

Under the settlement, eligible class members can receive up to $10,000 for unreimbursed out-of-pocket losses directly linked to the breach.

According to the source:

"CorrectCare failed to employ security standards commonly accepted among businesses and required by security standards of businesses that store protected health information and personally identifiable information and use the internet," the lawsuit alleged.

CorrectCare in a breach notice posted in November 2022 said it became aware of the exposure of information stores on its web server to the public July 6, 2022, and that the two directories may have been exposed as early as Jan. 2, 2022.

Among inmate data exposed were full names, date of birth, Social Security numbers, California Department of Corrections and Rehabilitation numbers, and certain health information, such as a diagnosis code and current procedure terminology code. https://www.govinfosecurity.com/600000-prison-inmates-to-share-in-649m-breach-settlement-a-26444 (Oct. 03, 2024).

Commentary

In the above matter, the source references that "two directories" may have been exposed, which supports the claim of "misconfiguration".

It is considered "misconfiguration" when sensitive directories can be accessed without credentials or with weak credentials, such as unchanged default passwords. 

A misconfigured web server is a web server that has not been set up correctly, leaving it vulnerable to security breaches. This can happen due to various reasons, such as using default settings, not updating software, or improperly setting access controls.

The final takeaway is that organizations should never take a server online until it is reviewed, configured, and certified to be secure.

Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

Time For Healthcare Organizations To Rethink Storing Social Security Numbers?

A radiology group pays $1.85M for a breach. Social security numbers were stolen. We provide reasons it is time for healthcare to rethink collecting and storing full SSNs.

The Corporate Transparency Act: Spring 2025 Update

The Corporate Transparency Act, aimed at fighting financial crimes, became effective on January 01, 2024. Learn about its current enforcement status.

Do You Think Remote Work Erodes Social Skills? You Make The Call

A survey reveals remote workers' skills are eroding. Is that what you have experienced or think? You make the call.

How To Detox Your Data Security Hygiene In 90 Days

A compilation of surveys paints a bleak picture on data security. What can employers learn from the statistics? We provide a 90-day detox of your cyber security hygiene.

The HIPAA Security Rule: An Ongoing Compliance And Litigation Risk For Healthcare Organizations

The HIPAA Security Rule was enacted two decades ago. The risk for healthcare continues to grow. We examine.