Misconfigured Web Servers Lead To Breaches And Later To Liability

January 9, 2025

CorrectCare, a medical claims processing company, has agreed to pay a $6.49 million settlement following a data breach that exposed sensitive information of nearly 600,000 prison inmates.

The breach, caused by a misconfigured web server, affected inmates who received medical care between January 2012 and July 2022 in correctional facilities across Louisiana, Georgia, South Carolina, and California.

Under the settlement, eligible class members can receive up to $10,000 for unreimbursed out-of-pocket losses directly linked to the breach.

According to the source:

"CorrectCare failed to employ security standards commonly accepted among businesses and required by security standards of businesses that store protected health information and personally identifiable information and use the internet," the lawsuit alleged.

CorrectCare in a breach notice posted in November 2022 said it became aware of the exposure of information stores on its web server to the public July 6, 2022, and that the two directories may have been exposed as early as Jan. 2, 2022.

Among inmate data exposed were full names, date of birth, Social Security numbers, California Department of Corrections and Rehabilitation numbers, and certain health information, such as a diagnosis code and current procedure terminology code. https://www.govinfosecurity.com/600000-prison-inmates-to-share-in-649m-breach-settlement-a-26444 (Oct. 03, 2024).

Commentary

In the above matter, the source references that "two directories" may have been exposed, which supports the claim of "misconfiguration".

It is considered "misconfiguration" when sensitive directories can be accessed without credentials or with weak credentials, such as unchanged default passwords. 

A misconfigured web server is a web server that has not been set up correctly, leaving it vulnerable to security breaches. This can happen due to various reasons, such as using default settings, not updating software, or improperly setting access controls.

The final takeaway is that organizations should never take a server online until it is reviewed, configured, and certified to be secure.

Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

Do You Provide Employees With Childcare Benefits? You Make The Call

Childcare is a priority for employees and might need to be for employers. Do you provide employees with childcare benefits? You make the call.

Need To Adapt Your Workplace Culture? Start With Your Mission And Vision Statements

A new survey reveals workers are leaving their healthcare employers. One reason is the lack of a culture match. How can you stem the tide? We examine.

Conflict De-Escalation: Gaining Ground

A woman - detained and arrested - by police, sues the city. We provide de-escalation tips.

Is "Hushed Hybrid" At Your Workplace? You Make The Call

A survey claims people want to work remotely, and some managers are allowing remote work under the table. Is "hushed hybrid" at your workplace? You make the call and join the conversation.

Making Tough Decisions On The Direction Of A Practice? Make Sure To Give Time To Patient Safety

Two Oregon surgeons sue their former healthcare group for retaliation. They claim they are whistleblowers, but are they? We examine.