I was the Tech Lead at a company that handled pharmaceutical materials and as a result, we were often responsible for PII and PHI, meaning we were also subject to HIPAA.
A new IT administrator took over at the company and once he got his bearings, decided to do some spring cleaning and audit all of our servers and systems, specifically looking at any security issues. As part of this activity he sent me a list of FTP sites that were open to the Internet and asked for my help figuring out how they were being used.
Mostly they were empty, had no references, or had logs that showed no recent access. then I stumbled upon a site full of 1000’s of files that looked familiar, but I couldn’t quite place. I opened one of these files and it was full of PHI data. On a public FTP site without any authentication required.
It turns out some previous IT administrator had “reused” an old FTP site to be the “secure file store” for PHI data. The problem is, it only had restricted access on the internal network - it was completely open to the Internet.
I didn't walk I ran to the admin's office and asked him if he could get the site shut down faster than I could pull the server's power cord out of the wall. He was in luck because the server room door was closed and locked that day. Fortunately, the paperwork related to this incident wasn't my responsibility because that was not a fun day.
