Contractor Folds After Causing Breaches

talkinsecurity writes "A single contractor, privately-held Verus Inc., has been traced as the source of no less than five hospital security breaches in the past two months — and those breaches have put the company out of business in a matter of weeks. Verus, which managed the websites of as many as 60 of the country's largest hospitals, has folded its entire business within the past few weeks, without a word to anyone. Apparently, a single IT error led to the exposure of at least five hospitals' patient data — at least 100,000 individuals' personal information — and caused Verus' primary investor to pull the plug. The hospitals, which initially reported their breaches separately, were left with no one to sue."

Re:Capitalism Rules!

[peragrin]

But it's governement regulations that have made it that way. the BOD of corporations should be ultimately responsible for the actions of the entire company. Since Corporations are a government protected body by removing the regulations protecting them opens the BOD up to others.

Re:HIPPA

[Jhon]

There are serious fines and even criminal penalties for letting confidential patient records out.

Great summary of HIPAA here. [ama-assn.org]

Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year.

Notice that "knowingly" statement?

Sorry, but I think you are wrong on the "probably folded to keep from getting heavily penalized and/or to prevent its directors from being criminally prosecuted under HIPPA". FTA, it's more likely they folded from lack of funding -- as their primary investor pulled out (most likely due to not wanting to tarnish THEIR name...

Re:And that's the problem with corporations

[deftcoder]

A judge can reinstate a business for the duration of a trial though, even if it was dissolved (with no objections) through the normal channels.

Just because your business was officially dissolved (through the Secretary of State's office) doesn't mean that you're off the hook for bad shit you pulled.

If an employee or contractor was found to be negligent or acting outside of their role within the corporation, they can be found personally liable. That usually results in employee/contractor suing the business and vice versa.

American business law is very interesting.

Your reasoning is flawed

[BlackCobra43]

The same standard IS applied. When an engineer is sued it is because his design was faulty, not because the building contractor used shitty concrete. If said contractor used shitty concrete, HE will be sued into oblivion.

Likewise, if the policies enacted by a companydirect actions defraud the public out of millions of dollars, they will be held acountable (see : Enron). If Joe Sixpack in accounting trafficks data all on his own, why should the CEO be held accountable?

Re:And that's the problem with corporations

[Gorshkov]

Aren't these the same directors who (for Enron, Worldcom/MCI, Adelphia Communications, etc) claimed that they had no idea that their companies were operating deeply in the red and that their quarterly earnings reports weren't worth the paper they were printed on? These are the same people who go before congress and suddenly develop very bad memories.

No, they're different directors. That lot WAS jailed - and they were jailed because of THEIR decisions, not those of their underlings.

Re:Capitalism Rules!

[nmx]

Eh? The company was destroyed. If you think the company should be punished, is there any better punishment? Isn't this a good thing? It means that the company is not going to do that again.

Yes, but nothing's stopping these people from forming a new company and doing the same thing again.

I live in the town with skylakes medical center

[QuantumRiff]

This Hospital had 30,000 patients data exposed. There is no mention of it in an easy, quick to find location on their website [skylakes.org]. This is 30,000 patients exposed in a town of about 40,000 people... Our local newspaper had a very, very small article on it that looked like it was written by the hospital PR person.. Good god I hate small towns..

Re:And that's the problem with corporations

[DrgnDancer]

In those cases the executives in question committed criminal acts and were charged with crimes. There's a difference between being punished because you did something wrong, and being punished because some goon five level down from you on the corporate chain made a dumb mistake. The OP mentions that as a professional engineer he is responsible for the action of his company, despite the fact that it is a corporation. Of course all professional engineering companies are REQUIRED to have at least one supervising professional engineer. Same with architecture firms, law firms, and lots of other "professional" companies. This is because at some point some one decided that there need to be a licensed professional personally in charge of licensed professional activities. If the board of the OP's company has members who are NOT professional engineers (unlikely and probably not legal though that is), they are NOT personally responsible if the bridge the company is building falls down (Which is why many industries ban non-professionals from even serving on the boards of professional companies.)

If the argument is that perhaps IT should be made a legal "profession", with a certifying board to establish competency, requirements that a professional services IT company have a board certified IT professional who is responsible for the company's actions, and an expectation that large non-IT specific companies also have a board certified IT professional to manage company practices (like the legal or medical departments have certified doctors and lawyers), you might have a good idea. As it is you're asking that the members of a board of directors, who probably have no IT knowledge at all, personally pay for the actions of some guy several levels below them, who did something they probably wouldn't have even understood was bad at the time had they known he did it.

Professional engineers are held responsible for the actions of their firms because by definition they understand and usually have to sign off on the actions of their underlings. If Bobo the rookie engineer makes some huge material strength error in his latest plans, it's OK (well not for Bobo probably, but for the company), because Bobo is by law supervised by at least one board certified professional engineer who should catch the mistake before s/he signs the plans. If the supervisor fails to catch the mistake, or if Bob the board certified engineer who works for himself makes the same mistake and signs his own plans, there is liability to the person who signed the plans. Since IT lacks any sort of professional organization to say "Sue is a certified IT professional", Sue's liability is limited to where she can be proved to have been negligent. Did she know that Bobo the rookie It guy made a mistake? who knows? Did she report it to her boss (who doesn't even have to know anything about IT to be her boss)? Who knows. Can she be sued? Maybe. Can her Boss? That pushing it. Can Bobo? Probably, but he makes 35K a year and owes 10 of it his credit card company. Not going to help you much I'm afraid.

Now if it can be proven that one of the board ordered the firewall to be taken down, or that they knew it was down and took no action despite the realization that it would cause huge problems for their customers, then they might be personally liable. This would be a criminal action on par with what Enron's executives did. This would be willful misconduct. As it is, they probably didn't even realize the problem existed until it was so late that all they could do was jump ship.

Re:Your reasoning is flawed

[Anonymous Coward]

With most corporate disasters, even when the CEO or other officer "resigns", he typically walks off with huge amounts of money and no punishment at all. The exceptions are so rare (think Ken Lay) that corporate managers really don't consider it a serious possibility.

In October 2006, Ken Lay's conviction was vacated. This means his family walks off with a huge amount of money that should have gone to the victims.

Re:Things did get done before corporations

[rsborg]

onsider bankruptcy for example, that is a form of "limited liability" as it applies to the individual.

You are aware that for a majority of the populace, Bankruptcy as you describe it is pretty much dead [findlaw.com]? Yes, personal limited liability, RIP 2005.