Electronic prescription security breach

This story just came to my attention and I think it is worth pointing out a couple of things.  Apparently, "Georgetown University Hospital suspended a trial program with an electronic prescription-writing firm last week after a computer consultant stumbled upon an online cache of data belonging to thousands of patients..."

As you read through the scenario, you see several things that are wrong with the picture.  First off, a consultant was working in a doctor's office to install some e-prescription software called Medisoft.  The consultant was having difficulty installing the software so he started looking at the file system "where he found an internet address, a login name and a password for a server operated by InstantDx, a Medisoft partner".    That's fine and exactly what any IT person would do.  He logged into the server looking for updates to the software, or whatever, and ended up downloading everything available in the site directory so he could find what he was specifically looking for.  Sounds like he accessed an FTP server, for which he had the login and pasword.  So far, okay.  However, note, that the login, internet address and password were hard coded into the application.  That is a ki-ki-no-no right off the bat.

But, moving on.  As he examined the downloaded files, according to the Wired News story, he opened a .csv file and found protected health information on thousands of Georgetown University Hospital patients in the Washington D.C. area.  Oops.  Eeek.  Wow.  It's amazing what you can find on an FTP server, isn't it?

The focus of the story is how security "whistleblowers" have come under fire, some fined, some charged with illegal activity, etc.  The story goes on to describe how this poor schmuck tried to figure out how to report the security breach without coming under fire himself.  That is a shame.  He evidently ended up calling the helpdesk at InstantDx and the technology guys removed the naughty file from the server.  Problem solved. 

However...  does this constitute a HIPAA violation?  Yes, it does.  Whose fault is it?  InstantDX.  Are they owning up to it?  Apparently they are.  But are they also laying blame and passing the buck?  A bit.  Listen to this "InstantDx attorney Robert Hudock, an e-health specialist at the Washington, D.C., firm Epstein Becker & Green, says two separate weaknesses conspired to create a security hole for a brief period of time, and that no malicious activity resulted. He emphasizes that Perry couldn't have accessed the data if he hadn't gone poking around in Medisoft." 

Yeah, right.  Poking around?  Hey, the guy was just trying to get the software installed.  There are two mistakes that I see that InstantDx and Medisoft made.  InstantDx was not rigorously reviewing output files on the FTP server to insure that protected health information was not resident there.  And Medisoft should not be hard coding logins, passwords, and Internet addresses in their application.  That is a very poor practice.

It sounds like the data was exposed for a brief period of time and the problem resolved.  But, security best practices were ignored by both companies.  That's the real story.