In 2010, I worked as an IT Consultant on a remediation project at an HMO. I was examining and exploring the datacenter when I found a 12-port dialup modem under a rack hidden in a rats nest of cables.
I followed the connections to a 'server', which was actually just a PC. This PC was running Searchlight BBS - a Bulletin Board System from the 1980s.
The PC was also logged into the Netware servers as Administrator. After a lot of inquiry, I learned that this was the system which medical clinics 'out in the weeds' used to submit insurance claims for medical work. So, think of it like this:
Your doctor connects, via dialup, to another computer running a front-end which was hackable thirty years before. He logs in and sends your medical claim with ALL your PII (Personally Identifiable Information - a HIPAA term) over the telephone lines in clear text.
Once at the other end, it's stored locally on that PC in clear text and anyone walking up to that machine has Administrator access to EVERYTHING.
"AAAAAAAAAAAAARRRRRGGGGHHH"
Epilogue:
I brought this HIPAA Compliance problem up the tree all way to the director and could not find a single person of authority willing to take my concern seriously. It was "just the way we do things". Good Effing Grief!
