Within a few hours, the server was no longer accessible. I got no reply from the company, but regarded this as a success.
Today, I was informed about this article:
Professor hacks University Health Conway in demonstration for class
Everything in that title is incorrect. I didn't hack anything, I did a google search and connected to an open FTP server. I was not teaching classes at that time, and I didn't demonstrate it for anyone.
All I did was send this email:
Hello:
I am Sam Bowne, an instructor at City College San Francisco, and I found two security problems on your server with a Google search.
Your FTP server has been compromised, and some files named "w0000000t" were added to it.
However, that's very minor compared to the fact that you have dozens of files publicly exposed on that server containing medical data about thousands of patients.
Here's the server root:
ftp://conway.lsuhsc.edu/
Here's an example file showing approximately 2000 of what appear to be patient names:
ftp://conway.lsuhsc.edu/EACHBSTMRP20121120.txt
Here are some patient addresses:
ftp://conway.lsuhsc.edu/EACHB20121122.txt
There are many more files there--you may have a serious violation of HIPAA regulations here.
These files have apparently been exposed for at least a year, and have already been copied to other servers by FTP search engines:
http://filemare.com/en-us/browse/155.58.160.62@@@60/12
The "w0000000t" file is apparently part of a mass compromise of Microsoft FTP servers, which was found but not explained by a French security company named QuarkLabs in this slide:
http://samsclass.info/lulz/w00t-ftp.png
Full presentation here:
http://www.quarkslab.com/dl/D2T1-Why-Port-Scans-are-for-Pussies.pdf
Please alert your technical and legal staff.
I am happy to answer any questions you may have.
Sam Bowne sbowne@ccsf.edu
I will post a comment on the article and contact him on Twitter, and update this if anything worthwhile happens.
I see that the article linked above is just repeating lies from this newspaper article, authored by "Staff":
Conway had server breach; no personal information lost
Here are screenshots of the articles as I saw them today, 8-28-14:
I posted this as both a Tweet and a comment to SC Magazine:
My comment on the SC magazine article vanished. It may be pending approval. However, I remembered a general principle I have learned from vulnerability disclosure: the person who created the problem will never admit it or fix it.
To find responsible people, one must go to the top.
So I found the owners of both papers and sent these Tweets to the CEOs.
Since the parties involved are all liars, I posted everything I did publicly in an open letter to all stakeholders:
http://samsclass.info/125/proj11/LSU-HIPAA.htm
The two CEOs have also remained silent.
Apparently, committing libel is a common thing for them, and they are comfotable completely ignoring the protests of their victims.
I have begin inquiries with attorneys to find out the best way to force these liars to take some responsibility for their crimes.
Professor says Google search, not hacking, yielded medical info
However, the original, false article remains online, with no link to the later corrective one, and my comment remains deleted.
Professor hacks University Health Conway in demonstration for class
This is a very strange way to run a news blog.
This is far from ideal, since it might appear to reward him for extortion, but it did accomplish my primary objective of removing the libel which could harm me and CCSF.
Here is the amended article:
There's nothing like a good lawyer when you need one!