Slashdot Mirror
Military Healthcare Data Stolen
An anonymous reader writes "TriWest, a federal contractor providing healthcare to the military, had computer hardware stolen from one of their offices. Social security numbers, credit card numbers, and healthcare information about 500,000 US military personnel and their families is contained on the stolen hardware. The AP picked up the story. The theft is also being covered by the Salt Lake Tribune and the Arizona Republic. This opens the door to speculation about who would be interested in the data held by a military contractor and what they will do with the information."
The files were IN the computer?
This opens the door to speculation about who would be interested in the data held by a military contractor and what they will do with the information.
Well if the military keeps a record of imunizations of its soldiers, then any country wishing to use bio weapons upon the US could use their medical record to determine which viruses/bacteria/pathogens they are weakest against.
To steal from somewhere the military has a huge interest. They'll probably spend the cashola on the investigation, and when they are caught someone is going to get it REALLY hard right up the ...
I work in healthcare
Healthcare sysadmins are often pretty poorly paid and are often people who would not make it in a business environment, and the security is often minimal. I know, I 'test' it.
I think we will have a few more of these disasters until the healthcare industry realises that IT is part of its core business and has to pay accordingly.
Humorous signatures are over-rated.
This makes me think of all the conference speeches I've given on security, watching folks yawn through the physical security sections.
Firewall indeed.
-JPJ
Feh.
The Defence Department learns that Windows are a problem in information security.
(Score: -1, Stupid)
Well, hopefully the systems were using linux or a BSD, had difficult passwords, and encrypted the records......
Hopefully the data is encrypted? You'd think (and hope) that having a government contract would mean the company has some decent security. This much information can be abused in any number of ways, not just by terrorists. Perhaps this is an argument against having people's entire lives stored in a database.
What makes people so sure they were after the computer for that data? They probably stole it so they could play The Sims Online.
maybe the US governement should secure their equipment a little better before they try to secure the internet.....
That's a lot! Black market price of a valid credit card no. with associated information(or a real stolen credit card) is around $10, that's $5,000,000 in total!!
Now if the government contractor was only following the government mandated HIPAA regulations....
Few security questions here.. How can someone just walk out of a building with a computer? Isnt the data encrypted on disk? Why does a contractor even need SSN's, etc? But we all know we have no privacy anyway, right?
If my name was on that list I would be very very worried about my family. If it was indeed for nefarious purposes that it was stolen, then there should be even more cause for alarm.
I only hope that this allows the government to realize the enormous burden upon them to protect our information as a national security priority in a non-conspiracy theory kind of a way (is this even possible?).
Cheers,
VonKraken
Rather than spending money on tracking down and throwing a bunch of clueless hackers in jail, law enforcement should really focus on the criminals that are easy to identify and prosecute: companies that don't treat customer data with appropriate care. If a few high-profile cases resulted in hundreds of millions of dollars in fines, these cases would soon stop happening: companies would finally make the modest investments necessary to keep customer data secure.
Most computer hardware is stolen to be sold on as computer hardware. These could be your standard issue thief who is only likely to sell on the hardware itself, without ever knowing he even has the data. Of course it could be someone who has an interest in the data, or someone who just wants to say a big F**** YOU at the guys in charge of these things. If this hardware isnt UV marked or otherwise, so it can be detected later, i would be very dissapointed. At my college we UV mark EVERY piece of hardware, and things like optical mice (i.e not the cheap ones no one wants to steal) are locked to the workstations, so you couldnt steal them without breaking them.
forget about virtually protecting patient data with VPNs and encrytption... how about some physical security? They state that there was "reasonable security" for a company; hmmmm... obviously that hinges on your definition of reasonable.
Data like this is a gold mine if the thieves have any idea how to use it. I hope they are advising people to put fraud alerts on their credit reports... but there are things worse than identity theft. What might that information be worth to a foreign power, or terrorist organization?
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
My question would be, did the thieves know that the computers contained military data, or were they just hijacking computers?
It said that "hard drives" were stolen... what about the rest of the PC? If other electronic equipment was stolen, it could just be a simple theft.
Regardless of the target, I have a feeling the military will be doing a detailed investigation. If it's just common crooks, they could find themselves in a whole lotta trouble after messing with the military.
"Yes, Lieutenant. I've already heard your name, rank, and serial number, over and over again. Now, I'd like to show you this photo... Steady! (Hold him, please.) Our sources looked up your next of kin in your medical records... This is a recent photo of your mother and father, hm? Our operatives are quite good at photography, we train them well.
"Now where were we? Oh yes. Now, Lieutenant, I'd like you to begin talking. And please remember, your parents' lives depend on what you say. Name, rank and serial number are not acceptable."
if you haven't got physical security, you haven't got ANY security.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
At least one too many.
Unless you are trying to be funny, and mean "unlocked windows", you are an idiot.
What the heck does the OS have to do with the fact that the hardware was stolen?
I happen to be in the military, though just an Airman First Class, and due to the nature of my assignment I have to deal with contractors pretty often. Because of how the system works it seems like most of the time the military is getting hired by the contractors. More often than not we have to meet thier standards and I have yet to see an off base contractor that would meet DoD 'standards' for security. Furthermore, since all of our individual records are tracked by our social security numbers we don't really have much in the way of private information (there's "Privacy Act of 1974" stickers everywhere but that's pretty much a joke to begin with). I'm not sure why there'd be credit card information there and I've never heard of TriWest (Tricare is our health provider, typo maybe?) and judging on past experience I'd be surprised if the affected military are notified. Heck, I'd be surprised if they know which individuals it was. As for whether it was the hardware or software the theives were after, all I'm going to say is a lot happens right here in the Midwest that the general public is never aware of. There are active terrorist cells on US soil but for one reason or another there's not a lot we can do about them.
Yes, I've done it.. but only in an apple article, where the total number of posts before it got archived was like 11.
It was 500,000 records including ssn's, and SOME credit card information. That doesn't mean that EVERY ONE of those people even HAVE credit cards, much less that each stolen record includes credit card numbers.
Is it any wonder? These contracts always go to the lowest bidder. I'd not be surprised to learn it was an "inside job", and that something nastier than identity theft or credit card fraud shall transpire. I hope I am wrong. I also remember how sloppy the military was (and still is I would presume) with my records.
Troll? What a waste of a modpoint.
So this suggests that the U.S. Government's Total Information Awareness program would be a nice, juicy target. After all, everything's in one place...
Hey, mod this up as a 2, funny! It's a good groaner of an attempt at humor, not a swipe at MS.
Some new sysadmin decided to show how forward thinking (can I say that on /.?) he was and decided to sneak linux in through the back door. Hmmmm, now where could he get a server that doesn't seem to be doing anything?? The server wasn't stolen, it's by his desk running samba!
If thou see a fair woman pay court to her, for thus thou wilt obtain love
i never even thought of that application.
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
You know who would really want that data?
Insurance companies.
Yes, that's right. What if insurance companies could get the records of servicemen?
You do know that the Veterans Affairs charges back to private insurance companies for some procedures, yes? And that insurance companies would love to get more information about medical procedures and treatment so they could refer said patients back to the VA?
I don't see how a system with such crappy security could have been in compliance with HIPAA. Anyone understand that stuff well enough to say? It sounds like that company may be facing some penalties.
Imagine how much fear a terrorist group could install in US military personnel with that sort of date. Makes you think.
-psy
Filesystem encryption is not well-supported in ANY of the free operating systems. Linux has some very cludgy loopback system support, which you would not want to use in a production system. Reiser 4 should have some very solid, thoughtfully-integrated crypto abilities, but other than that, nothing. Even the security-oriented OpenBSD scoffs at having encrypted FS. They think that anyone who wants that is "paranoid". Huh?
1 Unreal Tournament server. Previous careful owner.
Made from high grade components! As seen on TV.
maybe he thinks:
"if it was a linux / unix machine the thiefs would not know how to use it."
but i can assure you this way it is much better.
cause it's windows it will crash every time they try to access the data and finally the govs can trace 'em with help of the m$ spyware =))))))
stop supporting microsoft with pirating their software!!!!!
I'm currently serving in the military. Our SSNs are tied to all of our records - financial, medical, everything.
:-(
The number of credit card numbers that TriWest has is probably relatively small. I know they don't have mine. I think the only reason they would have to need credit card information is if a soldier had to pay for a medical procedure that isn't 100% covered (usually involving dependants/spouses).
The biggest threat that this theft creates would likely be identity theft, although due to the aforementioned prevalent use of the SSN in nearly all military records, this might not even substanially raise the exposure service members already face. Google shows scores of web sites and articles regarding military identity theft.
I guess that's what I get for serving my country.
Did the DOD think to have these sensitive files encrypted? Don't most online stores encrypt their credit card databases now?
I may not be the most paranoid person I know and I think it's a bit crazy to go to such lengths but if a file is that important why wouldn't you?
Why not go the extra mile and use and encrypted file system as well? Wait, that's the paranoid side of my thinking again.
I guess it takes a lot of high profile incidents like this to get folks to wise up about security on all levels.
If we let people steal military data, then the terrorists have already won.
I never thought I would use that phrase in a case where it actually makes sense.
Trust me. Unless it's actually classified... it's not encrypted.
Healthcare data isn't classified.
If you have ever had to deal with Tricare, I feel your pain.
It is *the* worst insurance system in the world.
Call them twice - ask the same question - you will get a different answer 85% of the time. There are times, infact, where it's been better to *not* use them at all, and just pay outright.
I feel for all you who are forced to use tricare, and are now possibly screwed somehow because your info was stolen. Keep your eye on your accounts and whatnot, I know we will be doing so more then ever.
http://slashdot.org/~tf23/journal
One of the doctors needed to back up his hard drive for a reformatting at home and thought "Oh, if i swipe it for the weekend, nobody'll notice."
It's in the first line.
Thieves who broke into a government contractor's office snatched computer hard drives containing Social Security numbers, addresses and other records of about 500,000 members of the military and their families.
Only the harddrives were taken from the machines, so unless the thieves were desperate for more space to download mp3s onto, then it's quite probable that they were just after the data.
"Free software as in beer, copy protection as in racket" - Telsa Gwynne
Mugging victim: ... gah! Police officer! That man over there just punched me in the face and stole my wallet! Help!
Policeperson: Sorry, you should have treated that wallet with more care. In fact, here's ticket for a few hundred million dollars that will help motivate you to "take better care" of your wallet.
That the US Government is Stupid. as a Dependednt of 2 Us Navy Officers, I know that tricare sucks. it was who took care of me when I was sick. They are bass ackward, and one hand doesnt know what the other hand is doing. You would think the government would do more than just set off a probe (i.e. change Social Security Numbers, etc etc.) The shit is going to hit the fan, and I feel sorry for the guys when and if they get cought because they will be labeld "Terrorists" and then have to go through that shit. Remember Kids- People who do things the government doesnt like are now just terrorists.
---
I think Salon is 'tard.
"Social security numbers, credit card numbers, and healthcare information about 500,000 US military personnel and their families is contained on the stolen hardware..."
"...who would be interested in the data..."
who would be interested in a bunch of people credit card numbers? gee, thats a though one. :P
"Mitnick free!" ;)
"Military Healthcare Data Stolen!"
Connection?
had to prep all of his vital information "in
the event of". This data probabaly contains
all the info one could ever desire to carry
out succesful ID theft:
- *All* vital stats (in original form?) including
- Individuals that will be unable to detect
- A SNAFU the size of Iraq to keep the
My solution:for dependents?
the theft for an extended period
authorities busy
Dissolve the assets of the company
as a lesson for protectors of our data, and
make a slush fund to pay out when the
attacks start.
You are a stupid, stupid little boy trapped in a world of Linux zealotry and a blind anti-Microsoft rage. I hope you die of a painful, slow cancer and help us rid the world of another worthless fool.
Derek: You think you're too cool for school but I got a newsflash for you, Walter Cronkite. You aren't.
Hansel: Who you trying to get crazy with, ese? Don't you know I'm loco?
Derek: Hey I got a wacky idea. What say we settle this on the runway, Han Solo?
Derek (whispers): Stop it. Hansel: Are you challenging me to a walk off, BOO Lander?
Billy Zane: Don't do this, Derek.
Hansel: Listen to your friend Billy Zane, he's a cool dude. He's trying to help you out.
Derek: Oh yeah, that's a walk off challenge my friend.
Hansel: Ten minutes, old Member's Only warehouse. You ought to remember that, you're a dinosaur. Come on, let's go. Open up.
Zane: I've heard some bad stories about this guy, man, he's limber. Too Limber.
Derek: Put a cork in it, Zane.
How the fuck is this off topic, you worthless cum stain on yur mothers leg. Asswipe.
As a member of the military, I am ~really~ curious to know what they could do with that info.
/alot/ more info. Alot.
Someone mentioned immunization records. But who cares if some 80 yr old retired Sgt Major had his TB recently? And untill you correlate Soldiers with Units, that info won't do you much good. If you wanted to know that, why not steal if from the Unit... it wouldn't be to much harder; and would provide
I personally think that they where after SSN's, and just happened to view a haul of 500k as too good to pass up. I don't believe that the fact it was military was of consequence. Which is why I also believe that it was American Civilians that did it, not some Foreign Agent. If so, I'm f*'ing pissed.
I don't need to say how well you can screw someone over with thier SSN; imagine the entire Military preoccupied with sorting out thier lifes; worried about a wife (or husband) and children having to deal with identity thieft while the soldier is busy overseas.
--Cam
All jocks think about is sports. All nerds think about is sex.
If they have the freaking media in their hands, no amount of software tricks can secure it. Unless forensics can catch up with them, they have all the time in the world to apply as many monkeys and typewriters as they wish. They're not going to say "Oh, gee, it's going to take days to break this encryption. We better return the computers instead."
Attach GPS compatible tracking devices inside the computers.
The Defence Department's then learned that they were neither British nor Canadian and configured their Regional Settings accordingly..
You are so stupid I really can't believe it. You must be trolling. That is one of the funniest jokes I have seen on Slashdot for a while.
The scenario, or the fact that someone thought this was "funny?"
yeah it's true i don't like microsoft products.. ... not even walmart has it and they 've got everything, even lindowsOS
mainly because i used them for some time
i know linux is not everything.. but for me it's better than m$
if you are happy about windows, stay with it, but there are lots of people who aren't happy and don't know there is something else/better
then my last post was suposed to be funny and ironically if you don't get it, your problem
btw where can i get this cancer you are talking about???? i called everywhere
stop supporting microsoft with pirating their software!!!!!
With guard towers and barbed wire.
You see, during WW2, there was a tank plant nearly plunk in the middle of Ann Arbor, the home of the University of Michigan. It had guard towers and razor wire, etc. Mind you, this was as far into the heartland, almost, as you could get at the time. There was no jet transportation at the time, and lots of well-armed continental US between either sea and Michigan. Still, it was a matter of national security, so this quaint little college town had an armed presence of some significance. Not so much due to an obvious threat of clear and present danger, but because in theory, the threat of compromise to such activity had fundamental national security implications. We're talking, national life and death issues.
Data should be treated similarly, certainly when entrusted by the government to an outside contractor. If it can't be shown to be absolutely safe in a contractor's hands, then it should not be contracted out. If that means armed security of an armed forces kind, then so be it.
Government bean counters and others with less practical, more dangerous political schemes and secret purposes would probably contract out national security, if you let them.
At this rate, I wouldn't be surprised. Probably to MS Armed Forces XP. Just remember to patch early and often.
Mmmmmm... Bold, yet refreshing!
$5 / month hosted VPS on linux = awesome!
You see, your private information is valuable. If it falls into the wrong hands, you may lose your life savings. Companies that you entrust with it have a duty to treat it with care.
Furthermore, the tax payer shouldn't be responsible for tracking down losses that are enabled by the complete carelessness of poorly run businesses.
It's a well-established legal principle that if you entrust somebody with something valuable, in many cases, they are legally responsible if it's lost or stolen if they didn't take proper care of it. In fact, airlines are liable for loss of your luggage even if they did take proper care of it.
Since personal information is often much more valuable than luggage and since losses are hard to quantify (e.g., suffering from identity theft, etc.), penalties should be stiff.
If a company takes reasonable care to secure their computer systems physically and against break-ins, then they shouldn't be penalized for negligence when data is stolen (although they may still be liable). But this case, like most others, smacks of complete negligence on the part of the company.
About 8 years ago when I was in the Navy, we were REQUIRED to submit a blood sample and cotton swab of the inside of my mouth. We weren't given a choice, we were told refusal would be grounds for discharge.
We had a lot of questions about this such as; storage (where, how long), would they be destroyed after discharge, could it be used against us(in legal proceeding, for insurance purposes)?
We weren't given the answers to those questions. Now I'm wondering where the hell that vial of blood and cotton swab is right now. How secure is it? How could a DNA sample labeled with my SSN be used against me?
I hope that someday we will be able to put away our fears and prejudices and just laugh at people. - Jack Handey
Gotta love this - a *MILITARY* Contractor can't even protect a database, and I'm supposed to give a copy of my fingerprint to Kroeger in order to buy milk^H^H^H^Hbeer?
It's going to be hellish enough for these people to try and fix and watch things... Wonder what else is in the DB... DNA? Fingerprints? hmmm...
Military healthcare data steals YOU!
So, now that there are moves to significantly increase the amount of information gathered, analyzed and stored on every citizen in the name of a war against terror, how are we supposed to feel confident that this information is not going to be stolen by some terrorist group or spammer and used against us?
Rather than spending money on tracking down and throwing a bunch of clueless hackers in jail
It's the "rather than" that blows me away. It's not just that we have no way of knowing who was behind the crime, clueless or not, but that you somehow think there aren't the resources to go after everyone responsible.
Absent some sort of immunity, the contractor is civilly liable for consequential losses to both the government and the individuals. They appear quite aware of this judging from their remedial steps, and they have plenty on the line without the government butting in with "penalties." At worst the company was negligent -- and we don't know that, either. There is not a thing in the articles suggesting TriWest was at fault. As it now stands they may be a mere victim.
By my count thus far you're comment is riding atop three shaky assumptions. You're lucky there's no fine for ill-considered speculation.
I think the two are way too close together to be anything but conincidence. :)
Seriously, given him, he'll be breaking laws in six months.
"Hey Bob... you know those drives we picked up from the military deal? You haven't formatted them yet... right? Well, I know we need more space for porn, but I was just reading the news..."
America - Home of the scapegoat, land of the Corporation
You ever seen a grown man naked?
I recommend German for all government titles of such offices.
;-)
It has a certain satiric edge
"It is a greater offense to steal men's labor, than their clothes"
Healthcare Data steals YOU
Most secure (TEMPEST) locations require the drive be removed and locked in a safe every night. Of course two guys and a cart could just wheel the safe out.
Only the State obtains its revenue by coercion. - Murray Rothbard
Health records? I hope the gov't is not taking this too seriously. It was probably stolen because someone needs more room for their mp3's. I would love to think this is some kind of x-file al-queda conspiracy but health records are not going to turn the tide of any war.
That the thieves had no idea what data was stored on the computer(s), and just wanted to sell the hardware.
Needless to say, Triwest and the miltary have to plan for the worst, and have to assume that the data is actually going to be used for something, rather than just wiped when somebody fdisk's the computers and installs their OS of choice.
Unless the theives knew what they were stealing and stole it for the data (which I imagine would be worth way way way more than the hardware it's installed on -- the military and Triwest certainly will consider it so) and so they destroy the hardware rather than trying to pawn it, they're *very* likely to get caught. The serial numbers are likely to be known, and the police will be looking for them very actively.
And if they don't even bother to wipe the disk (quite common in stolen computers, apparantly), the buyer of the computer may find all this stuff on the computer, and may have heard of this story, and will call the police ...
And if they do catch somebody, that guy is going to get hit with a lot more than just a simple burglary rap. He'll probably be lucky if they don't classify him as a terrorist (with all the civil rights violations that go along with that) ... even if he's just a simple (but stupid!) burglar ...
The data on all media, including hard drives, should be encrypted. When a computer boots up and needs access to that data, an unswappable process needs to get the passphrase/key so that the information can be made available at run time.
now we need to go OSS in diesel cars
The kind of people that would steal this stuff are lowlife weirdo's who need serious mental help and once caught should be immediatly sent in for a psyciatric evaluation!!!!
A guy with a gun usually helps things, and if you are going that route hire an off-duty cop so the gun is a real threat.
It's only a matter of time before companies realize data is priceless and thieves will do anything to get it.
This recent incident again illustrates the dangers of putting all one's keys so to speak (ie. social security number, name, address, etc) all in one place.
Though it could be worse...at least most "keys" government/industry have for individuals can be changed in instances of severe abuse of one's identity. But as biometrics come more into use, then the stakes become even greater...how does one revoke themselves?...Suicide perhaps?
Anyways, hope folks who design and implement these security schemes dispense with this "let's put everything in one place" mentality and design and build systems that feature more distributed security...otherwise there will continue to more and larger incidences of identity theft, etc.
Wouldn't you think that this sort of data would be held in a government owned data center/server farm that had ARMED guards? And shouldn't these ARMED guards be searching people for crap like this this. Did we not learn anything from the Los Alamos incident a few years ago when that Chinese spy sent off a hard drive full of our technology goodness to his brethren before stashing it behind a copy machine and acting like he was all innocent? I think whoever was in charge of security at the time of this robbery should be shot to set an example. Sure, the data wasn't as critical as weapons research, but it could be next time.
Dumbshit Military
Whoever has the drive oughta look up the medical information on whoever was in charge of security at the time of the robbery and see if he has a known condition of cranial rectalis (aka. head up his ass)
that movie was about the dumbest fucking thing i've ever seen
I could...
a) Insert false records and allow the the drives to be "recovered", thus introducing false data to the system and allowing for easier social engineering in the future
b) Search records for personal with preexisting conditions that might make them vulnerable to blackmail (STDs, etc.)
c) Use family information to achieve effects similar to (b)
c) Sell raw SSN in bulk to the highest bidder d) Deliver the names and addresses of ranking officers in the database to interested parties (so Lt. Jefferson, we here you have a little problem
e) Use credit card # as one shot spending accounts, or just run up some debts to drive the owners batty (assuming cards weren't canceled already)
Can't really think of anything else. Anyone else have ideas?
My bet is the machine was stolen so somebody could play Solitaire and download porn at home...
Probably nothing sinister....
A firewall. Gas is pumped through a pipe under the door, and released in large jets. Thus a physical "firewall" is created preventing access to the server room. Its effective and you can be the envy of geeks/sysadmins everywhere.
When I had to go to Kosovo in the beginning (1999), I found a computer on our network with an open network share that has ONE MS Access database in it that contained the name, rank, unit, SSN, and MAILING ADDRESS (!) of every single soldier in the United States Army.
Needless to say, I brought it up in a meeting there and they hammered the bonehead who set it up. She was another soldier.
First the military needs to save themselves from.....themselves.
It was one of the IT dudes' son playing UT 2003 and said, "Man this GForce card rocks! Lemme take it home and swap it with my Trident."
I propose that the military stole their own hardware to cover up patterns of data. Patterns that would reveal the true causes of the 'gulf war syndrome' and evidence that it is a legitamate ailment.
Believe it or not, people actually steal computers because they are worth money.
Isn't it more probable these computers were just stolen by some lowlife to sell them to make some money. The fact that it took a cpl of days to even realise that computers were missing makes it reasonable to assume that the hardware wasn't very well protected.
It seems like everything these days has to be about terrorism and national security to give the likes of Bush etc. more ammunition to do stupid things. Why is Slashdot participating ?
beauty is only a light switch away
Why is the US system so ridiculously vulnerable to identity theft? What would it take to secure the system? Can any Europeans opine on whether European smartcard identity systems are more or less secure than SSNs?
Female Prison Rape in NY
Personally, I only encrypt some of my partitions, for efficiency reasons, but in principle it's possible to encrypt all of your partitions (except a tiny /boot partitition).
Female Prison Rape in NY
Digital pix can be Emailed to some poor soldier's torturer overseas in mere minutes... personally, just the thought of that chills me to the bone.
All they need is one person who can get on base... contractor, volunteer, or reservist. Heck, even somebody's dependent teenager might fancy himself a political dissident and "do his part against the war." (I'm not ripping on principled objectors... we're talking traitors here) That's a huge number of people, and enough that you could probably find a "fifth column" among them, particularly if you're fighting an unpopular conflict. Enemy Intelligence agencies will exploit all kinds of things to coopt people... ethnic loyalties, family ties, sex, money, drugs, the foolishness of youth... the number of ways you can compromise a person and turn them into a spy is endless.
It's even easier if what they are asked to do is seemingly innocuous... "snap some pictures of house #X on Patton Street. Just some pictures, nothing else."
Also, people do live off-base. What about those bases where there is not enough on-base housing, or on-base housing has a waiting list of a year or more? The latter scenario is common in some states where the extreme cost of living/housing drives everyone to try to live on-base. Don't think that those military budget cuts haven't affected the housing availability. The housing military can afford off-base is typically in a seedier area, often apartments (particularly for junior officers and enlisted). Those areas are easy to surveil... lots of traffic, people hanging around... you can even rent an apartment in the same complex if you want to watch a "high-interest" target for a longer time frame.
This type of thing is nothing new... terrorists like the Red Army Faction, Black September, November 17, et al have done meticulous surveilance and research on their targets. There is a reason the military trains its personnel to be on the lookout for surveilance, tails, and the like (obviously, the more sensitive your position, the higher your suspicion). More than anything else, it pays to make yourself a harder target, and to act on your suspicions. If joe Al-Queda sees some security types sniffing around, they'll likely abort for an easier target.
The loss of this data is a huge screw-up on the part of the healthcare contractor. There is little more a terrorist organization or enemy power would need than those files. Those CID investigators better be feeling the heat.
It boggles the mind.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
Credit card numbers? I do not see the connection between your medical records and credit card numbers. When you are active duty you and your dependents DON'T pay for healthcare, there is no "billing", your military ID card was your payment. No one accepts money or cards at the hospitals or healthcare facilities, you could not pay someone if you wanted to. The only time I'd ever get bills is when one of my dependants went somewhere other then a military facility. I'd get a bill from the specific facility (not the military or their insurance company) of a small % of what was not covered. Maybe things have changed or this story is lacking information. Another question for this contractor.. Why would billing and medical information be in the same area anyway?
Bad boys rape our young girls but Violet gives willingly.
This is just the latest in a series of faux-attacks from 'outside' that are just excuses to further erode our freedoms. This was an inside job. The military personnel don't need to worry about stolen SSNs, we ALL need to worry now that the feds have an excuse to finally shutdown that pesky internet! Unstoppable peer to peer communications beyond our control? No longer, it's a threat to National Security, and we have the list of crimes (that WE committed) to prove it! So long, all, it was fun while it lasted.
physical security is *everything*.
Its a simple task, even under windoze NT/2000/XP, to boot off another CD/Floppy and access the hard drive, change passwords, etc.
Encryption of data is the only *secure* way to enforce this.
Brings to mind the database we had (have?) at work, which we entered an agreement with our former company (defense contractor) to use. Its an oracle database. I mentioned in a meeting with the responsible person that it would be easy enough to boot off a Solaris CD, and backup the database, and the next thing I heard from my boss was that when I was up in that building I was "not allowed to touch the database system".
I didn't, of course, but it would have been easy enough. Now, I happen to be a sysadmin (with a DOD Secret security clearance, so I wouldn't do it anyways), but *anyone* with physical access to the machine could do it. And people are in and out of that room all the time.
Sigh. Physical security is *everything* in most cases.
Since the Total Information Awareness project will make finding this kind of information easy, I don't see what all the fuss is about. The government should be able to find this data in a couple of seconds, right?
--
Annotateit at Annotateit.com
Have you ever been the victim of a property crime? I have, multiple times. There isn't any real effort at finding the perpetrators or recovery. It's the same with identity theft. I've been a victim of that, too.
If any of those 500000 innocent people have their identity stolen and their life savings taken away, most likely, it will ruin their credit ratings for years to come. They'll get their money back, eventually, because the credit card company eats the loss. But nobody will make an effort to find the criminals, and nobody will compensate the victims for the time and money they'll spend recovering their money and restoring their credit rating, not to mention the anguish and other problems.
The sad fact is that we already don't try very hard to find the perpetrators in a lot of property crimes--because it's too expensive.
The other sad fact is that we don't go after companies that treat data negligently. But while we can't easily stop muggings on the street, it is easy to stop mass theft of personal data from computer servers. The technology is there. It isn't very costly even. Companies just need to deploy it. And the only incentive for deploying it is if they face big risks and penalties when something goes wrong. Instead, banks keep deploying ASP on NT servers, don't use encryption to protect data, and don't bother keeping their systems up to date.
Absent some sort of immunity, the contractor is civilly liable for consequential losses to both the government and the individuals.
Yeah, and they'll pay up to individuals when hell freezes over. At best, they may play nice with the government because they want another contract.
They appear quite aware of this judging from their remedial steps, and they have plenty on the line without the government butting in with "penalties." At worst the company was negligent -- and we don't know that, either. There is not a thing in the articles suggesting TriWest was at fault. As it now stands they may be a mere victim.
I cannot construct a scenario in which the company could be a "mere victim". Anybody who has 500000 personal records stolen, in any shape or form, is almost by definition, negligent. At a minimum, the data should have been encrypted on disk with a key in volatile memory, so that if anybody walks off with the hardware, the data is useless. This is in addition to reasonable physical security--even for our rather non-secure data center, we have 24h guards and various alarms.
The only way I see in which the company could have been a "mere victim" is if they had been blackmailed into giving up the data and its cryptographic keys, under threat of death to hostages. That clearly didn't happen.
I work for a hospital IT department, and I can tell you that as IT venders move their operations to Canada and overseas that's where patient info is going. For example, one of our patient databases for a lab system was corrupted and the vender needed that database FTP'd to them for analysis and repair. This vender no longer operated in the US, but supposedly was cleared for this kind of transfer through a business partner agreement.
Why wasn't an encrypted filesystem used on such sensitive data. Use password beginning of day, shut server when lights go out, use password next morning.
Hope the jury can understand something trivial as this if they get sued.
A de minimus level of security has to be taken by the company, including on the servers themselves, since the tools are so readily available, and even free.
NO EXCUSE
Businesses have failure as a terminal option.
For government, failure is just another level of performance.
{Posting in AC because I am not sure if I should be sharing the information below.}
Here are some things that might help reduce the FUD level in some of these commments.
- I do not work there.
- This information came from someone that works within the same system, but not the same contractor.
- Security in the building was likely to be that of a standard call center;
-- swipe cards to get in the building
-- receptionist at the desk watching those enter/leaving, maybe even a rent-a-cop there
-- swipe cards to get on the floors (if any)
-- swipe cards to get to the server room (where the theft probably occurred)
-- cleaning staff in at night, but probably not in the server room.
-- cameras in high-traffic areas
-- off-hours alarms, but shifts on saturdays and early evenings (when fewer people might be around)
- Windows Boxes (NT or 2000) for the call center staff
- Unix based database (using a dos-type shell to access), or possibly a windows front end for users.
- The usual under-educated, second income/ low income people working there. (Standard call center people, but those capable of learning the complex rules and procedures for medical insurance.) Not many of them would know what to do with a spare hard drive.
- Degrees among the staff members will be rare, even in management.
- The data involved contains at the very least; SSN, name, rank, address, medical history (sometimes 50 years of it), beneficiaries, local doctors, details of procedures, families names and addresses, copies of letters to and from the insurnace companies, copies of letters to and from the insured or their familes, call logs, internal process actions.
Obviously, it would be pretty easy to walk in behind someone to get to the building, but getting into the server room might be more of a challenge as there are fewer people with access to it. (IT staff only)
Also note, the company Triwest is up for contract renewal very soon. A theft of this type may tank their bid totally, so it is possible that the theft was designed to make them loose the contract for benefit of the other competing companies or by someone that has a gripe against the company.
In my opinion, how dangerous this is depends on if "hard drive" means the whole computer case, or if it means "SCSI 60 meg"; and if they were in a server at the time or not. Loose drives can get swiped for lots of reasons, though probably not related to the data on them. Whole server cases could get swiped for the hardware alone, where the the thief does not know how to get the data or care about what it is.
Though, if someone went to 4 servers out of 16, or took drives from opererating servers (wouldnt they notice right away if someone did that?) it is likely that the data itself was the target and one would expect all sorts of damaging stuff to happen by the release of this data.
Of course, now that there is publicity, the drives might get destroyed if the person just wanted the drives, or if they are a true criminal (not just an amature) they'll know the drives contain this data and the risk of it getting used goes up.
That sounds more like an isolated incident, and probably related to training. Training is certainly our biggest issue. For instance, I'm the Communications-Computer Systems Operations career feild. I'm supposed to work with networks basically. According to my training material: the dot matrix is the most popular type of printer, CDs are a developing technology, 3.5 floppies are recent technology, every image and diagraph shows the old 5.25 floppies, contain a paragraph to tell me what a SHIFT key does and how to turn on a computer respectively, and personally, out of all the training material I've ever been exposed to its the worst written. In most cases, at least in my career feild, it seems like instead of actually writing the manual up themselves they use clippets out of old magazines. I'm not even going to get started on tech school. I can't speak too much for other career feilds but it Comm-Ops, saying we have an issue with training is more of an understatement than anything else.
... subsequent local news stories have it that a local FBI agent had warned that there has been a rash of data thefts here in Phoenix lately from mortgage brokers and other offices that collect personal information. The only items taken are hard drives. So what business keeps "everything" on the desk tops.
What he passed was a disaster. It was allowed to be watered down to the point of absurdity after all those "coffees" contributions came roaring in.
He allowed Torricelli to destroy our intelligence agencies through the Torricelli Principle.
He destroyed the military.
Thanks to Ronnie, by Yeltsin, Gorbachev, the Russian people, and the analysts own admissions, the USSR fell apart thanks to Ronnie, and no thanks to those French Fucks, the hard left factions of the dutch, german and other counties, and all those protests against "star wars" and the missile deployments that Ronnie and Margie shoved down their throats. The Soviet military puked, and we had a peace dividend.
Bush Sr. made reasonable cuts to the military, and the dems in congress for the 12 years starting in 1980 had a spending orgy on their pet projects. Even though the mini-recession that wasn't ended and growth started more than a year prior to the '91 election, the dems and news cartels played it well enough to get him out of office.
Then comes liar. He cut the military so deeply so he could spend on his pet projects that the military was complaining of not enough helmets, rifles and other small arms, and other training equipment and other readiness equipment. This was a constant but suppressed complaint.
After 9/11/01, we find out that liar had cut the military so deeply that we were short close to a thousand cruise missiles, and that although efforts were already under way to fix this prior to 9/11, it would take over a year to fix this. This is what, 10 years after the gulf war? 10 years later and we're still short a thousand cruise missiles?
We have a shortage of spooks in deep cover where they're needed. We have a readiness problem that is being repaired. North Korea. We were offered Osama on a platter. TWA-800 was shot down by Stephanopoulas' own admission on the Sunday talk show which he quickly retracted when he realized that he included it in a terrorist list of events, and tripped over his own words in his panic.
Yeah, if you destroy the military budget, and spend less for the first time in history the following year than the previous year thanks to a republican standoff on spending, and shutdown of the federal government, you'll run a surplus. Or the tech bubble that happened on the liar's watch while his friends got rich on cattle futures, global crossing, enron (yeah, check it. enron enriched quite a few dems as well as republicans), and others, then "loaned" the liar money to buy a house.
If a gutted medical information law disguised to look like a privacy law is something you use to be proud of the liar, I hope its enough.
Because the rest of the damage he has done to our government is a disaster.
Freeze them out. No more government work. This would fix this type of bull overnight.
Other firms have been frozen out of government work in the past because of fines/givebacks for overcharges. Normally, the problem stems from huge paperwork requirements, quadruplicate forms, and complex rules for getting paid and keeping records. Something missing, it is played in the press and from the antis (usually happens with military contractors, but I know a lot of fields where this happens) as an example of overcharging/theft, etc.
The end result of the overcharging/theft scandals (that aren't) is that someone in congress puts on the pressure to exclude them from future contracts. The effect of this in the industries that I am in close touch with (non-military) is that this gets discussed to death about what NOT to do, and how to avoid this problem. I heard of issues with companies frozen out going back more than a decade, and they are still being talked about by people who weren't even in the industry at the time of occurance.
Freeze them out. Then sit back and watch what the other companies do. Your head will spin when you realize what a profound effect a freeze out would have.
btw, if the info in some of the other posts are true, this was an inside job.
My wife and I are IT security consultants in the DC area, and we are both jobless and struggling. We continually see agencies like Tricare who can't or won't or don't hire people like us. Why? Because they have to hire minority quota-companies like the SBA 8(a) scam operations. The IT security of most Federal agencies is so bad it's scary. And they won't change.
My wife points out that her employer passes off employee data of that nature to a contractor that handles their employee medical insurance.
Large databases with diverse pieces of personal information one database with inadequate protection are just too attractive a target -- 500,000 social security numbers? The amount of money identity thieves can make from the sale of those ssns, and the damage done to individuals, is staggering. But will there be any penalty beyond a slap on the wrist for insufficient security?
To clear up a few misconceptions that I've seen from the posts:
HIPAA is now worded in such a way that it allows health care providers (and other "covered entities") to share medical information about a patient without consent for a number of reasons. The result is that information in your file may be shared with others without you ever finding out. The best place I've found for information on HIPAA is at the Health Privacy Project . Go to their page and do a search on "HIPAA" and you will find out everything you ever wanted to know about HIPAA.
HIPAA makes it easier to circulate information once gathered, but it is not itself a storage system. For a huge storage system, go check out the Medical Information Bureau (MIB) web site. They have a FAQ about what they do, what medical information they store, and who they share it with. MIB exists to prevent fraud (a good thing), but I'd sure like to know what their security is like.
Finally, for another reason to repeal HIPAA and decentralize information, read about the "Emergency Health Powers Act". Again, designed for good reasons, but could be applied in very heavy-handed ways. The Health Powers Act specifically shields companies from liability.
You or I must yield up his life to Ahrimanes. I would rather it were you.
I should have no hesitation in sacrificing my own life to spare yours, but
we take stock next week, and it would not be fair on the company.
-- J. Wellington Wells
- this post brought to you by the Automated Last Post Generator...