Slashdot Mirror

← Back to Stories (view on slashdot.org)

Military Healthcare Data Stolen

Posted by michael on from the sick-call dept.

An anonymous reader writes "TriWest, a federal contractor providing healthcare to the military, had computer hardware stolen from one of their offices. Social security numbers, credit card numbers, and healthcare information about 500,000 US military personnel and their families is contained on the stolen hardware. The AP picked up the story. The theft is also being covered by the Salt Lake Tribune and the Arizona Republic. This opens the door to speculation about who would be interested in the data held by a military contractor and what they will do with the information."

11 of 299 comments (clear)

  1. Not sexy, but effective by John+Paul+Jones · · Score: 4, Interesting

    This makes me think of all the conference speeches I've given on security, watching folks yawn through the physical security sections.

    Firewall indeed.

    -JPJ

    --
    Feh.
  2. What ?!?!? by Tin+Weasil · · Score: 5, Interesting

    What makes people so sure they were after the computer for that data? They probably stole it so they could play The Sims Online.

  3. Do they even know they have the data? by Tomah4wk · · Score: 4, Interesting

    Most computer hardware is stolen to be sold on as computer hardware. These could be your standard issue thief who is only likely to sell on the hardware itself, without ever knowing he even has the data. Of course it could be someone who has an interest in the data, or someone who just wants to say a big F**** YOU at the guys in charge of these things. If this hardware isnt UV marked or otherwise, so it can be detected later, i would be very dissapointed. At my college we UV mark EVERY piece of hardware, and things like optical mice (i.e not the cheap ones no one wants to steal) are locked to the workstations, so you couldnt steal them without breaking them.

  4. Re:hmm... by Transcendent · · Score: 4, Interesting

    Actually, because of a somewhat recent (clinton... 1996) democratic idea, a new act was passed called HIPAA (Health Insurance Portability and Accountability Act of 1996). This creates a lot of change in the way we handle patient information. New electronic billing formats, and even patient sign-ins. I think that they're also going to make it where any procedure done to you must be approved by the insurance first... which really pisses me off.

    Anyway, a main goal of HIPAA is the Doctor-Patient confidentiality (which is in existance today, but not really upheld). Basically, the simple fact that you go to a certian doctor is concidered "secret" by federal law... I'd imagine that for the military, it's a little more strict.

  5. OHH NO! by grasshoppers · · Score: 0, Interesting

    If we let people steal military data, then the terrorists have already won.

    I never thought I would use that phrase in a case where it actually makes sense.

  6. tricare is a POS by tf23 · · Score: 4, Interesting

    If you have ever had to deal with Tricare, I feel your pain.

    It is *the* worst insurance system in the world.
    Call them twice - ask the same question - you will get a different answer 85% of the time. There are times, infact, where it's been better to *not* use them at all, and just pay outright.

    I feel for all you who are forced to use tricare, and are now possibly screwed somehow because your info was stolen. Keep your eye on your accounts and whatnot, I know we will be doing so more then ever.

    --
    http://slashdot.org/~tf23/journal
  7. Identity Theft heaven by Anonymous Coward · · Score: 2, Interesting
    One of my co-worker's husband recently
    had to prep all of his vital information "in
    the event of". This data probabaly contains
    all the info one could ever desire to carry
    out succesful ID theft:
    • *All* vital stats (in original form?) including
      for dependents?
    • Individuals that will be unable to detect
      the theft for an extended period
    • A SNAFU the size of Iraq to keep the
      authorities busy
    My solution:
    Dissolve the assets of the company
    as a lesson for protectors of our data, and
    make a slush fund to pay out when the
    attacks start.
  8. Re:stiff penalties for careless companies by g4dget · · Score: 4, Interesting
    See, in the real world, we are governed by laws. There is no law that states: "You must treat customer data with appropriate care."

    Sure, there is. In many situations, where you entrust companies or individuals with valuable or private information, they have a responsibility to take reasonable care to keep it private. It's just that there aren't particularly stiff penalties right now. And that has resulted in an unacceptable carelessness by companies when dealing with customer information.

    The business deserves, simply, to lose its government contract. Why you want to complicate this matter and rewrite corporate law is beyond me.

    We have notions of "fiduciary duty" and "criminal negligence" for physical property. It makes sense to apply them to what companies do with personal information.

  9. your analogy is wrong by g4dget · · Score: 3, Interesting
    Your analogy is wrong. Among other things, your analogy doesn't take into account that there are three parties involved: the victim, the thief, and the party to which the valuable property was entrusted. A better analogy would be...

    Traveler to airline: Where is my luggage?

    Airline: We don't know. We left it on the sidewalk last night, and today it's gone. Sorry, it's not our problem. File a complaint with the police, maybe they can find it.

    You see, your private information is valuable. If it falls into the wrong hands, you may lose your life savings. Companies that you entrust with it have a duty to treat it with care.

    Furthermore, the tax payer shouldn't be responsible for tracking down losses that are enabled by the complete carelessness of poorly run businesses.

    It's a well-established legal principle that if you entrust somebody with something valuable, in many cases, they are legally responsible if it's lost or stolen if they didn't take proper care of it. In fact, airlines are liable for loss of your luggage even if they did take proper care of it.

    Since personal information is often much more valuable than luggage and since losses are hard to quantify (e.g., suffering from identity theft, etc.), penalties should be stiff.

    If a company takes reasonable care to secure their computer systems physically and against break-ins, then they shouldn't be penalized for negligence when data is stolen (although they may still be liable). But this case, like most others, smacks of complete negligence on the part of the company.

  10. Military REQUIRES DNA samples, security on it? by bubblegoose · · Score: 4, Interesting

    About 8 years ago when I was in the Navy, we were REQUIRED to submit a blood sample and cotton swab of the inside of my mouth. We weren't given a choice, we were told refusal would be grounds for discharge.

    We had a lot of questions about this such as; storage (where, how long), would they be destroyed after discharge, could it be used against us(in legal proceeding, for insurance purposes)?

    We weren't given the answers to those questions. Now I'm wondering where the hell that vial of blood and cotton swab is right now. How secure is it? How could a DNA sample labeled with my SSN be used against me?

    --
    I hope that someday we will be able to put away our fears and prejudices and just laugh at people. - Jack Handey
  11. Re:hmm... by addikt10 · · Score: 2, Interesting

    While HIPPA was passed in 1996, no one has been required to implement the requirements, as all healthcare providers are scared of the act, and have filed for extensions.

    As far as I'm aware, the next round of extensions run out next October.

    However, nothing I've seen about HIPPA would have stopped this. It just instructs them to take "reasonable precautions", and describes what types and combinations of information can't be accessed by unauthorized users.