Misconfigured Web Servers Lead To Breaches And Later To Liability

January 9, 2025

CorrectCare, a medical claims processing company, has agreed to pay a $6.49 million settlement following a data breach that exposed sensitive information of nearly 600,000 prison inmates.

The breach, caused by a misconfigured web server, affected inmates who received medical care between January 2012 and July 2022 in correctional facilities across Louisiana, Georgia, South Carolina, and California.

Under the settlement, eligible class members can receive up to $10,000 for unreimbursed out-of-pocket losses directly linked to the breach.

According to the source:

"CorrectCare failed to employ security standards commonly accepted among businesses and required by security standards of businesses that store protected health information and personally identifiable information and use the internet," the lawsuit alleged.

CorrectCare in a breach notice posted in November 2022 said it became aware of the exposure of information stores on its web server to the public July 6, 2022, and that the two directories may have been exposed as early as Jan. 2, 2022.

Among inmate data exposed were full names, date of birth, Social Security numbers, California Department of Corrections and Rehabilitation numbers, and certain health information, such as a diagnosis code and current procedure terminology code. https://www.govinfosecurity.com/600000-prison-inmates-to-share-in-649m-breach-settlement-a-26444 (Oct. 03, 2024).

Commentary

In the above matter, the source references that "two directories" may have been exposed, which supports the claim of "misconfiguration".

It is considered "misconfiguration" when sensitive directories can be accessed without credentials or with weak credentials, such as unchanged default passwords. 

A misconfigured web server is a web server that has not been set up correctly, leaving it vulnerable to security breaches. This can happen due to various reasons, such as using default settings, not updating software, or improperly setting access controls.

The final takeaway is that organizations should never take a server online until it is reviewed, configured, and certified to be secure.

Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

Do Work Friendships Boost Morale And Retention? You Make The Call

A new survey claims that workplace friendships are extremely important to employee relations. We want to know what you think.

Don't Get CAPTURED By Fake CAPTCHA

A devious and insidious new malware campaign is spreading two very dangerous forms of malware by using fake CAPTCHA. We explain and provide some red flags to spot.

The "Interactive Process" Takes Centerstage For Return-To- Work Strategies

A health services company settles an EEOC disability discrimination charge after an employee is fired after returning to work from an injury. We examine the charge and discuss standards to address the interactive process.

Overpayment Scheme Leads To $100K Fraud Loss: What Steps Can Help Prevent This?

An elected treasurer steals from her nonprofit organization. We examine the scheme and provide a checklist.

Are Employees Empowered To Decline Additional Work? You Make The Call

A survey claims employees are empowered to say "no" to additional work. What do you say? You make the call and join the conversation.