Contractor Folds After Causing Breaches 274
talkinsecurity writes "A single contractor, privately-held Verus Inc., has been traced as the source of no less than five hospital security breaches in the past two months — and those breaches have put the company out of business in a matter of weeks. Verus, which managed the websites of as many as 60 of the country's largest hospitals, has folded its entire business within the past few weeks, without a word to anyone. Apparently, a single IT error led to the exposure of at least five hospitals' patient data — at least 100,000 individuals' personal information — and caused Verus' primary investor to pull the plug. The hospitals, which initially reported their breaches separately, were left with no one to sue."
Re:Capitalism Rules! (Score:4, Informative)
Re:HIPPA (Score:5, Informative)
Sorry, but I think you are wrong on the "probably folded to keep from getting heavily penalized and/or to prevent its directors from being criminally prosecuted under HIPPA". FTA, it's more likely they folded from lack of funding -- as their primary investor pulled out (most likely due to not wanting to tarnish THEIR name...
Re:And that's the problem with corporations (Score:4, Informative)
Just because your business was officially dissolved (through the Secretary of State's office) doesn't mean that you're off the hook for bad shit you pulled.
If an employee or contractor was found to be negligent or acting outside of their role within the corporation, they can be found personally liable. That usually results in employee/contractor suing the business and vice versa.
American business law is very interesting.
Your reasoning is flawed (Score:4, Informative)
Likewise, if the policies enacted by a companydirect actions defraud the public out of millions of dollars, they will be held acountable (see : Enron). If Joe Sixpack in accounting trafficks data all on his own, why should the CEO be held accountable?
Re:And that's the problem with corporations (Score:3, Informative)
Re:Capitalism Rules! (Score:5, Informative)
Eh? The company was destroyed. If you think the company should be punished, is there any better punishment? Isn't this a good thing? It means that the company is not going to do that again.
Yes, but nothing's stopping these people from forming a new company and doing the same thing again.
I live in the town with skylakes medical center (Score:3, Informative)
Re:And that's the problem with corporations (Score:3, Informative)
If the argument is that perhaps IT should be made a legal "profession", with a certifying board to establish competency, requirements that a professional services IT company have a board certified IT professional who is responsible for the company's actions, and an expectation that large non-IT specific companies also have a board certified IT professional to manage company practices (like the legal or medical departments have certified doctors and lawyers), you might have a good idea. As it is you're asking that the members of a board of directors, who probably have no IT knowledge at all, personally pay for the actions of some guy several levels below them, who did something they probably wouldn't have even understood was bad at the time had they known he did it.
Professional engineers are held responsible for the actions of their firms because by definition they understand and usually have to sign off on the actions of their underlings. If Bobo the rookie engineer makes some huge material strength error in his latest plans, it's OK (well not for Bobo probably, but for the company), because Bobo is by law supervised by at least one board certified professional engineer who should catch the mistake before s/he signs the plans. If the supervisor fails to catch the mistake, or if Bob the board certified engineer who works for himself makes the same mistake and signs his own plans, there is liability to the person who signed the plans. Since IT lacks any sort of professional organization to say "Sue is a certified IT professional", Sue's liability is limited to where she can be proved to have been negligent. Did she know that Bobo the rookie It guy made a mistake? who knows? Did she report it to her boss (who doesn't even have to know anything about IT to be her boss)? Who knows. Can she be sued? Maybe. Can her Boss? That pushing it. Can Bobo? Probably, but he makes 35K a year and owes 10 of it his credit card company. Not going to help you much I'm afraid.
Now if it can be proven that one of the board ordered the firewall to be taken down, or that they knew it was down and took no action despite the realization that it would cause huge problems for their customers, then they might be personally liable. This would be a criminal action on par with what Enron's executives did. This would be willful misconduct. As it is, they probably didn't even realize the problem existed until it was so late that all they could do was jump ship.
Re:Your reasoning is flawed (Score:1, Informative)
In October 2006, Ken Lay's conviction was vacated. This means his family walks off with a huge amount of money that should have gone to the victims.
Re:Things did get done before corporations (Score:3, Informative)