Consider the case of www.freehipaa.net, a Web site that advertises free, open-source HIPAA-cmpliant medical software. HIPAA is the US law that protects the privacy and security of patient medical records; it has, among other things, provisions specifying security standards for remote storage, use, and retrieval of sensitive patient information.
HIPAA compliance is a big deal; those who violate the standards can find themselves neck-deep in legal trouble, and anyone who is responsible for maintaining patient medical information is obligated to take security very seriously indeed.
Which is why it's all the more amusing that I received a fake PayPal scam email in my mailbox today directing suckers to a phony Web page, where the hackers could steal their PayPal information. The hackers responsible for these scams first find vulnerable Web servers with outdated content management or ecommerce software, then hack these Web sites ad put up their phony phishing pages, and finally send out spam email directing the unwary to the hacked Web site for fleecing.
Today's cracked Web site du jour? None other than http://www.freehipaa.net/icons/us/webscr.htm -- yep, that's right. The creators of HIPAA-complaint medical billing software can't even secure their own Web server.
Hmm. I wonder if their software is any better...