Paging Dr. Data Breach, please come to the IT morgue

Incident: Bringing down your fundamental means of protection simply to perform a data migration is one kind of stupid; forgetting to put it up again is monumental.

That's what admins from an IT firm called Verus did. And by "called" I mean "now out of business."

To transfer data from one server to another, the admins disabled the firewall, then left it disabled, potentially exposing the personal financial details of more than 91,000 patients of at least five US hospitals to anyone who happened by.

The five hospitals reported that the problems originated from the Verus-operated bill-paying service each hospital used. The earliest breach was announced in late May 2007, the latest in late July.

The affected hospitals, which may have numbered as many as 60 in total, cancelled their contracts with Verus as soon as the breaches were discovered. By August, Verus was out of business.

Initially, the incidents were each thought to have been isolated. The true scale of the goof was not known until Medseek took over the Verus contracts at many of the affected hospitals, a Medseek executive explained.

Fallout: According to published reports, there has been no criminal misuse of the data since the screwup. Verus, of course, paid the price for its idiocy with its corporate life. The company was mothballed so fast, nobody knew what happened.

Moral: If you disable your network's fundamental protection measures just to migrate data from one server to another, you're doing it wrong. And for Pete's sake, if you're going to turn off the corporate firewall for any reason, be sure to turn it back on again.