February 5, 2023

Volume XIII, Number 36

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).

February 03, 2023

Subscribe to Latest Legal News and Analysis

FBI Releases Warning on Cyber Criminals Targeting Sensitive Information Through File Transfer Protocol Servers

Cyber criminals are constantly seeking new ways to gain access to personal and health information and, on March 22, 2017, the FBI issued a specific warning to health care providers regarding threats to File Transfer Protocol ("FTP") servers operating in anonymous mode.

FTP is a standard network protocol that is widely used to transfer data with a network host. Generally, users will access the FTP server with a user name and password. When an FTP server is operating in anonymous mode, however, anonymous users can gain access with a common user name that is not password protected or with a generic password or email address. This unsecured access may leave the FTP server vulnerable to attack by cyber criminals.

Cyber criminals who are able to access an FTP server that stores protected health information ("PHI") or personally identifiable information ("PII") may be able to compromise such information or may use such information for criminal purposes, such as blackmail, identity theft, or fraud. Health care providers may then be responsible for reporting a breach of PHI under the Health Information Portability and Accountability Act ("HIPAA") as well as under any applicable state laws. In addition, cyber criminals may use an FTP server in anonymous mode to store malicious tools or to launch a cyber attack.

In response to this threat, the FBI recommends that health care providers specifically request that their IT professionals check their networks for any FTP servers running in anonymous mode. If there is a legitimate business purpose for operating a FTP server in anonymous mode, health care providers should ensure they do not maintain PHI or PII on the server.

The FBI’s guidance may be read here: https://info.publicintelligence.net/FBI-PHI-FTP.pdf  

© Copyright 2023 Murtha CullinaNational Law Review, Volume VII, Number 100

About this Author

Stephanie Sprague Sobkowiak, Murtha Cullina, physician group attorney, health care industry legal counsel, hospital regulation compliance lawyer

As the co-chair of the firm's Health Care practice group, Ms. Sobkowiak represents health systems, hospitals, physicians, physician groups and other clients in the health care industry.  Her practice includes assisting those clients with a wide range of compliance, regulatory, managed care, risk management and reimbursement issues, including fraud and abuse, payor contracts, medical staff and credentialing matters, Certificates of Need and HIPAA and related security breaches. 

Ms. Sobkowiak has experience assisting health care clients with a wide variety of contracts, from physician...

Julia P. Boisvert, Murtha Cullina, physician practice groups, social service providers lawyer

Julia P. Boisvert is an Associate in the firm's Health Care Practice Group.  She assists hospitals, physicians, physician practice groups, social service providers, and other for-profit and nonprofit health care providers with a variety of health care regulatory, corporate, and business issues.

Julia has experience advising on corporate formation, governance matters, corporate transactions, employment matters, practitioner and facility licensure, Medicare and Medicaid reimbursement, HIPAA and privacy compliance, and fraud and abuse matters. She...