Slashdot Mirror
Military Healthcare Data Stolen
An anonymous reader writes "TriWest, a federal contractor providing healthcare to the military, had computer hardware stolen from one of their offices. Social security numbers, credit card numbers, and healthcare information about 500,000 US military personnel and their families is contained on the stolen hardware. The AP picked up the story. The theft is also being covered by the Salt Lake Tribune and the Arizona Republic. This opens the door to speculation about who would be interested in the data held by a military contractor and what they will do with the information."
This opens the door to speculation about who would be interested in the data held by a military contractor and what they will do with the information.
Well if the military keeps a record of imunizations of its soldiers, then any country wishing to use bio weapons upon the US could use their medical record to determine which viruses/bacteria/pathogens they are weakest against.
To steal from somewhere the military has a huge interest. They'll probably spend the cashola on the investigation, and when they are caught someone is going to get it REALLY hard right up the ...
I work in healthcare
Healthcare sysadmins are often pretty poorly paid and are often people who would not make it in a business environment, and the security is often minimal. I know, I 'test' it.
I think we will have a few more of these disasters until the healthcare industry realises that IT is part of its core business and has to pay accordingly.
Humorous signatures are over-rated.
This makes me think of all the conference speeches I've given on security, watching folks yawn through the physical security sections.
Firewall indeed.
-JPJ
Feh.
The Defence Department learns that Windows are a problem in information security.
(Score: -1, Stupid)
What makes people so sure they were after the computer for that data? They probably stole it so they could play The Sims Online.
maybe the US governement should secure their equipment a little better before they try to secure the internet.....
Rather than spending money on tracking down and throwing a bunch of clueless hackers in jail, law enforcement should really focus on the criminals that are easy to identify and prosecute: companies that don't treat customer data with appropriate care. If a few high-profile cases resulted in hundreds of millions of dollars in fines, these cases would soon stop happening: companies would finally make the modest investments necessary to keep customer data secure.
Most computer hardware is stolen to be sold on as computer hardware. These could be your standard issue thief who is only likely to sell on the hardware itself, without ever knowing he even has the data. Of course it could be someone who has an interest in the data, or someone who just wants to say a big F**** YOU at the guys in charge of these things. If this hardware isnt UV marked or otherwise, so it can be detected later, i would be very dissapointed. At my college we UV mark EVERY piece of hardware, and things like optical mice (i.e not the cheap ones no one wants to steal) are locked to the workstations, so you couldnt steal them without breaking them.
forget about virtually protecting patient data with VPNs and encrytption... how about some physical security? They state that there was "reasonable security" for a company; hmmmm... obviously that hinges on your definition of reasonable.
Data like this is a gold mine if the thieves have any idea how to use it. I hope they are advising people to put fraud alerts on their credit reports... but there are things worse than identity theft. What might that information be worth to a foreign power, or terrorist organization?
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
My question would be, did the thieves know that the computers contained military data, or were they just hijacking computers?
It said that "hard drives" were stolen... what about the rest of the PC? If other electronic equipment was stolen, it could just be a simple theft.
Regardless of the target, I have a feeling the military will be doing a detailed investigation. If it's just common crooks, they could find themselves in a whole lotta trouble after messing with the military.
"Yes, Lieutenant. I've already heard your name, rank, and serial number, over and over again. Now, I'd like to show you this photo... Steady! (Hold him, please.) Our sources looked up your next of kin in your medical records... This is a recent photo of your mother and father, hm? Our operatives are quite good at photography, we train them well.
"Now where were we? Oh yes. Now, Lieutenant, I'd like you to begin talking. And please remember, your parents' lives depend on what you say. Name, rank and serial number are not acceptable."
Nah, if the thieves were really after the information and not the hardware, they'd just mount the drives on a new computer. Access the files that way. This just proves that physical security is just as important as on-line security. Does you no good to secure a critical server against online attacks if you put the server in an insecure physical environment. The article implies that the building that contained these servers are standard office buildings. Simple locks on interior doors and many people with access to the building. Not exactly what I'd call secure.
Encryption is a good point, but what do you think the chances are any of the data is encrypted. Slim?
(Score: -1, Stupid)
How can someone just walk out of a building with a computer?
Smash window, climb through, grab computer, walk out.
Isnt the data encrypted on disk?
Don't count on it.
Why does a contractor even need SSN's, etc?
A soldier's military service number is his SSN (been that way since the 70's or so). All of a soldier's records are tied to it.
if you haven't got physical security, you haven't got ANY security.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
I happen to be in the military, though just an Airman First Class, and due to the nature of my assignment I have to deal with contractors pretty often. Because of how the system works it seems like most of the time the military is getting hired by the contractors. More often than not we have to meet thier standards and I have yet to see an off base contractor that would meet DoD 'standards' for security. Furthermore, since all of our individual records are tracked by our social security numbers we don't really have much in the way of private information (there's "Privacy Act of 1974" stickers everywhere but that's pretty much a joke to begin with). I'm not sure why there'd be credit card information there and I've never heard of TriWest (Tricare is our health provider, typo maybe?) and judging on past experience I'd be surprised if the affected military are notified. Heck, I'd be surprised if they know which individuals it was. As for whether it was the hardware or software the theives were after, all I'm going to say is a lot happens right here in the Midwest that the general public is never aware of. There are active terrorist cells on US soil but for one reason or another there's not a lot we can do about them.
The real guts of story might be that this will be a poster child for what can go wrong with centralized health care databases. In the long run, this might be a good thing to have happened.
Is it any wonder? These contracts always go to the lowest bidder. I'd not be surprised to learn it was an "inside job", and that something nastier than identity theft or credit card fraud shall transpire. I hope I am wrong. I also remember how sloppy the military was (and still is I would presume) with my records.
Why does a contractor need SSNs?? Well for a primary key, goofus! They havent heard of the SERIAL thingy in PostgreSQL as of yet.
nerd joke rimshot!!
So this suggests that the U.S. Government's Total Information Awareness program would be a nice, juicy target. After all, everything's in one place...
Some new sysadmin decided to show how forward thinking (can I say that on /.?) he was and decided to sneak linux in through the back door. Hmmmm, now where could he get a server that doesn't seem to be doing anything?? The server wasn't stolen, it's by his desk running samba!
If thou see a fair woman pay court to her, for thus thou wilt obtain love
I don't see how a system with such crappy security could have been in compliance with HIPAA. Anyone understand that stuff well enough to say? It sounds like that company may be facing some penalties.
Imagine how much fear a terrorist group could install in US military personnel with that sort of date. Makes you think.
-psy
When people say "the data on the computer should be encrypted" I usually reply "with what?"
You cannot just encrypt the data, you can only
encrypt a data with a key.
Storing key on the same computer with the data
is a waste of time and money, it's the same situation as storing the key from your apartment
under the rug at the apartment's door.
Of course some data can be mangled by MD5ng or
SHAing (hashing) it -
a good read about this (and related) technique is at Translucent Databases,
but technically it's not an encryption.
I'm currently serving in the military. Our SSNs are tied to all of our records - financial, medical, everything.
:-(
The number of credit card numbers that TriWest has is probably relatively small. I know they don't have mine. I think the only reason they would have to need credit card information is if a soldier had to pay for a medical procedure that isn't 100% covered (usually involving dependants/spouses).
The biggest threat that this theft creates would likely be identity theft, although due to the aforementioned prevalent use of the SSN in nearly all military records, this might not even substanially raise the exposure service members already face. Google shows scores of web sites and articles regarding military identity theft.
I guess that's what I get for serving my country.
Did the DOD think to have these sensitive files encrypted? Don't most online stores encrypt their credit card databases now?
I may not be the most paranoid person I know and I think it's a bit crazy to go to such lengths but if a file is that important why wouldn't you?
Why not go the extra mile and use and encrypted file system as well? Wait, that's the paranoid side of my thinking again.
I guess it takes a lot of high profile incidents like this to get folks to wise up about security on all levels.
Trust me. Unless it's actually classified... it's not encrypted.
Healthcare data isn't classified.
If you have ever had to deal with Tricare, I feel your pain.
It is *the* worst insurance system in the world.
Call them twice - ask the same question - you will get a different answer 85% of the time. There are times, infact, where it's been better to *not* use them at all, and just pay outright.
I feel for all you who are forced to use tricare, and are now possibly screwed somehow because your info was stolen. Keep your eye on your accounts and whatnot, I know we will be doing so more then ever.
http://slashdot.org/~tf23/journal
One of the doctors needed to back up his hard drive for a reformatting at home and thought "Oh, if i swipe it for the weekend, nobody'll notice."
It's in the first line.
Thieves who broke into a government contractor's office snatched computer hard drives containing Social Security numbers, addresses and other records of about 500,000 members of the military and their families.
Only the harddrives were taken from the machines, so unless the thieves were desperate for more space to download mp3s onto, then it's quite probable that they were just after the data.
"Free software as in beer, copy protection as in racket" - Telsa Gwynne
Mugging victim: ... gah! Police officer! That man over there just punched me in the face and stole my wallet! Help!
Policeperson: Sorry, you should have treated that wallet with more care. In fact, here's ticket for a few hundred million dollars that will help motivate you to "take better care" of your wallet.
had to prep all of his vital information "in
the event of". This data probabaly contains
all the info one could ever desire to carry
out succesful ID theft:
- *All* vital stats (in original form?) including
- Individuals that will be unable to detect
- A SNAFU the size of Iraq to keep the
My solution:for dependents?
the theft for an extended period
authorities busy
Dissolve the assets of the company
as a lesson for protectors of our data, and
make a slush fund to pay out when the
attacks start.
In the military everything is tied to your social security number. It's on all my paperwork from the enlistment contract to the piece of paper where I agreed not to have sex w/my recruiter. They put it on the ID cards. I had to use it whenever it went to sick call. It's spray painted on the outside of my duffle bag. It's even on a chain that I'm wearing around my neck right now (aka, my dog tags).
But even out in normal civilian life, the social security number is extreamly overused. I tried to test drive a car once and the dealer wouldn't let me because I wouldn't give them my SSN.
Life has many choices. Eternity has two. What's yours?
As a member of the military, I am ~really~ curious to know what they could do with that info.
/alot/ more info. Alot.
Someone mentioned immunization records. But who cares if some 80 yr old retired Sgt Major had his TB recently? And untill you correlate Soldiers with Units, that info won't do you much good. If you wanted to know that, why not steal if from the Unit... it wouldn't be to much harder; and would provide
I personally think that they where after SSN's, and just happened to view a haul of 500k as too good to pass up. I don't believe that the fact it was military was of consequence. Which is why I also believe that it was American Civilians that did it, not some Foreign Agent. If so, I'm f*'ing pissed.
I don't need to say how well you can screw someone over with thier SSN; imagine the entire Military preoccupied with sorting out thier lifes; worried about a wife (or husband) and children having to deal with identity thieft while the soldier is busy overseas.
--Cam
All jocks think about is sports. All nerds think about is sex.
For the same reason that basically any kind of media out there ultimately can't be hack proof, a compromised box will be hackable regardless of the OS. In fact, that's quite independant of the OS. It's only the FS that would determine how 'readable' the data on a box is...
See the issue is: no matter how strong crypto you use, you need to store the key somewhere. And I'm pretty sure these guys didn't have some sort of centralized key server...
At best, all they need is some guys with scruffy beards and pimples stuck in a basement for a week, and a never ending supply of Mountain Dew.
At worst, they boot the system and it's ready to fly.
Whamo.
If they have the freaking media in their hands, no amount of software tricks can secure it. Unless forensics can catch up with them, they have all the time in the world to apply as many monkeys and typewriters as they wish. They're not going to say "Oh, gee, it's going to take days to break this encryption. We better return the computers instead."
Attach GPS compatible tracking devices inside the computers.
The scenario, or the fact that someone thought this was "funny?"
$5 / month hosted VPS on linux = awesome!
You see, your private information is valuable. If it falls into the wrong hands, you may lose your life savings. Companies that you entrust with it have a duty to treat it with care.
Furthermore, the tax payer shouldn't be responsible for tracking down losses that are enabled by the complete carelessness of poorly run businesses.
It's a well-established legal principle that if you entrust somebody with something valuable, in many cases, they are legally responsible if it's lost or stolen if they didn't take proper care of it. In fact, airlines are liable for loss of your luggage even if they did take proper care of it.
Since personal information is often much more valuable than luggage and since losses are hard to quantify (e.g., suffering from identity theft, etc.), penalties should be stiff.
If a company takes reasonable care to secure their computer systems physically and against break-ins, then they shouldn't be penalized for negligence when data is stolen (although they may still be liable). But this case, like most others, smacks of complete negligence on the part of the company.
Keep in mind that when geeks like us talk about 'harddrives', that's not the same thing as what the general population refers to as 'harddrives'. Nearly every non-geek I've met thinks that the case is the hard drive.
These thieves may have stolen the computers (leaving the bulky monitors), and the non-geek reporter wrote that they only took the harddrives.
Slashdot monitor for your Mozilla sidebar or Active Desktop.
About 8 years ago when I was in the Navy, we were REQUIRED to submit a blood sample and cotton swab of the inside of my mouth. We weren't given a choice, we were told refusal would be grounds for discharge.
We had a lot of questions about this such as; storage (where, how long), would they be destroyed after discharge, could it be used against us(in legal proceeding, for insurance purposes)?
We weren't given the answers to those questions. Now I'm wondering where the hell that vial of blood and cotton swab is right now. How secure is it? How could a DNA sample labeled with my SSN be used against me?
I hope that someday we will be able to put away our fears and prejudices and just laugh at people. - Jack Handey
So, now that there are moves to significantly increase the amount of information gathered, analyzed and stored on every citizen in the name of a war against terror, how are we supposed to feel confident that this information is not going to be stolen by some terrorist group or spammer and used against us?
Rather than spending money on tracking down and throwing a bunch of clueless hackers in jail
It's the "rather than" that blows me away. It's not just that we have no way of knowing who was behind the crime, clueless or not, but that you somehow think there aren't the resources to go after everyone responsible.
Absent some sort of immunity, the contractor is civilly liable for consequential losses to both the government and the individuals. They appear quite aware of this judging from their remedial steps, and they have plenty on the line without the government butting in with "penalties." At worst the company was negligent -- and we don't know that, either. There is not a thing in the articles suggesting TriWest was at fault. As it now stands they may be a mere victim.
By my count thus far you're comment is riding atop three shaky assumptions. You're lucky there's no fine for ill-considered speculation.
I recommend German for all government titles of such offices.
;-)
It has a certain satiric edge
"It is a greater offense to steal men's labor, than their clothes"
That the thieves had no idea what data was stored on the computer(s), and just wanted to sell the hardware.
Needless to say, Triwest and the miltary have to plan for the worst, and have to assume that the data is actually going to be used for something, rather than just wiped when somebody fdisk's the computers and installs their OS of choice.
Unless the theives knew what they were stealing and stole it for the data (which I imagine would be worth way way way more than the hardware it's installed on -- the military and Triwest certainly will consider it so) and so they destroy the hardware rather than trying to pawn it, they're *very* likely to get caught. The serial numbers are likely to be known, and the police will be looking for them very actively.
And if they don't even bother to wipe the disk (quite common in stolen computers, apparantly), the buyer of the computer may find all this stuff on the computer, and may have heard of this story, and will call the police ...
And if they do catch somebody, that guy is going to get hit with a lot more than just a simple burglary rap. He'll probably be lucky if they don't classify him as a terrorist (with all the civil rights violations that go along with that) ... even if he's just a simple (but stupid!) burglar ...
The data on all media, including hard drives, should be encrypted. When a computer boots up and needs access to that data, an unswappable process needs to get the passphrase/key so that the information can be made available at run time.
now we need to go OSS in diesel cars
what a boring comment to be modded up.
he said linux!!! mod him up!!!!!
This is exactly what happened recently when a computer theft racket was exposed where young kids were sent to steal machines from schools here.
Whoever reported it wrote that kids were paid up to $AUS500 for each "hard drive" stolen from schools - the reality is kids were allegedly paid this much for stealing brand new fileservers and laptops.
a grrl & her server
This recent incident again illustrates the dangers of putting all one's keys so to speak (ie. social security number, name, address, etc) all in one place.
Though it could be worse...at least most "keys" government/industry have for individuals can be changed in instances of severe abuse of one's identity. But as biometrics come more into use, then the stakes become even greater...how does one revoke themselves?...Suicide perhaps?
Anyways, hope folks who design and implement these security schemes dispense with this "let's put everything in one place" mentality and design and build systems that feature more distributed security...otherwise there will continue to more and larger incidences of identity theft, etc.
Haha, very funny. You want to know what a military contract means? It means that the private firm will get PAID. It's not much of a stretch to blame this on privatization. Sure, government agencies aren't much better, but they're a bit less of a hodge-podge of security policies and standards. Emphasis on the "bit".
Uh no... Your non-geek translator must be malfunctioning. The case would be known as the "CPU". Thusly a non-geek "harddrive" would in fact be a 3.5" floppy, or alternatively, if they are a more advanced non-geek, it would be a ZIP disk. Of course the bulky monitors of which you speak could be translated to "the desktop" or, perhaps, "the window". Of course it's all moot, since they're going to fuck up their machine irregardless and you'll be getting a phone call at 2am after they try to insert their coffee into the "cup holder".
Only the harddrives were taken from the machines, so unless the thieves were desperate for more space to download mp3s onto, then it's quite probable that they were just after the data.
Well shit, let's call up the RIAA and let them track the f***ers down.
Really? I walked out of a large dentist's office after a service call with four 4GB drives of patient data just by saying "Can I keep your _OLD_ drives? I'm an enthusiast and these have hobbyist value!" The doctor told me to have fun with them. I trashed them after they sat in my rooom untouched for months, but I'm quite sure I could walk into pretty much any office with a computer-service company shirt on and a Compaq box and say "I'm here from JackYouTech to do a minor update to the servers, Please lead me to the closet." And successfully rip off the data.
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
My bet is the machine was stolen so somebody could play Solitaire and download porn at home...
Probably nothing sinister....
It was one of the IT dudes' son playing UT 2003 and said, "Man this GForce card rocks! Lemme take it home and swap it with my Trident."
Believe it or not, people actually steal computers because they are worth money.
Isn't it more probable these computers were just stolen by some lowlife to sell them to make some money. The fact that it took a cpl of days to even realise that computers were missing makes it reasonable to assume that the hardware wasn't very well protected.
It seems like everything these days has to be about terrorism and national security to give the likes of Bush etc. more ammunition to do stupid things. Why is Slashdot participating ?
beauty is only a light switch away
Why is the US system so ridiculously vulnerable to identity theft? What would it take to secure the system? Can any Europeans opine on whether European smartcard identity systems are more or less secure than SSNs?
Female Prison Rape in NY
Personally, I only encrypt some of my partitions, for efficiency reasons, but in principle it's possible to encrypt all of your partitions (except a tiny /boot partitition).
Female Prison Rape in NY
Digital pix can be Emailed to some poor soldier's torturer overseas in mere minutes... personally, just the thought of that chills me to the bone.
All they need is one person who can get on base... contractor, volunteer, or reservist. Heck, even somebody's dependent teenager might fancy himself a political dissident and "do his part against the war." (I'm not ripping on principled objectors... we're talking traitors here) That's a huge number of people, and enough that you could probably find a "fifth column" among them, particularly if you're fighting an unpopular conflict. Enemy Intelligence agencies will exploit all kinds of things to coopt people... ethnic loyalties, family ties, sex, money, drugs, the foolishness of youth... the number of ways you can compromise a person and turn them into a spy is endless.
It's even easier if what they are asked to do is seemingly innocuous... "snap some pictures of house #X on Patton Street. Just some pictures, nothing else."
Also, people do live off-base. What about those bases where there is not enough on-base housing, or on-base housing has a waiting list of a year or more? The latter scenario is common in some states where the extreme cost of living/housing drives everyone to try to live on-base. Don't think that those military budget cuts haven't affected the housing availability. The housing military can afford off-base is typically in a seedier area, often apartments (particularly for junior officers and enlisted). Those areas are easy to surveil... lots of traffic, people hanging around... you can even rent an apartment in the same complex if you want to watch a "high-interest" target for a longer time frame.
This type of thing is nothing new... terrorists like the Red Army Faction, Black September, November 17, et al have done meticulous surveilance and research on their targets. There is a reason the military trains its personnel to be on the lookout for surveilance, tails, and the like (obviously, the more sensitive your position, the higher your suspicion). More than anything else, it pays to make yourself a harder target, and to act on your suspicions. If joe Al-Queda sees some security types sniffing around, they'll likely abort for an easier target.
The loss of this data is a huge screw-up on the part of the healthcare contractor. There is little more a terrorist organization or enemy power would need than those files. Those CID investigators better be feeling the heat.
It boggles the mind.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
Stop hoping for the absurd: Government contractor in the healthcare field, using something out of the ordinary (anything other than Windows..) and using something other than a log-in password???? As an former healthcare employee and now a government employee, I can tell you that the security measures you are hoping for do not exist. Bone-stock Compaqs or Dell workstations, running Win98 or Win2K with nothing but log-in passwords (which are specified by the employees, not sysadmins...). The security beyond the physical security (obviously slim and none in this instance) is absurd and virtually nonexistent.
...we are from the government - we are here to help...
Dunno about that ... I used to work in a University and the thieves often would steal only the harddisks, or ethernet nics (at the time the cards were a bit more costly). I suspect this is because a single person can walk out of a computer lab with upwards of 50 harddrives, but only one computer. Oh yeah, DIMMS were another popular option.
:wq
It doesn't say that the harddrives were taken from computers. Could have been a RAID tower, a SAN or even a box full of those pull-out HDs.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
Credit card numbers? I do not see the connection between your medical records and credit card numbers. When you are active duty you and your dependents DON'T pay for healthcare, there is no "billing", your military ID card was your payment. No one accepts money or cards at the hospitals or healthcare facilities, you could not pay someone if you wanted to. The only time I'd ever get bills is when one of my dependants went somewhere other then a military facility. I'd get a bill from the specific facility (not the military or their insurance company) of a small % of what was not covered. Maybe things have changed or this story is lacking information. Another question for this contractor.. Why would billing and medical information be in the same area anyway?
Bad boys rape our young girls but Violet gives willingly.
Have you ever been the victim of a property crime? I have, multiple times. There isn't any real effort at finding the perpetrators or recovery. It's the same with identity theft. I've been a victim of that, too.
If any of those 500000 innocent people have their identity stolen and their life savings taken away, most likely, it will ruin their credit ratings for years to come. They'll get their money back, eventually, because the credit card company eats the loss. But nobody will make an effort to find the criminals, and nobody will compensate the victims for the time and money they'll spend recovering their money and restoring their credit rating, not to mention the anguish and other problems.
The sad fact is that we already don't try very hard to find the perpetrators in a lot of property crimes--because it's too expensive.
The other sad fact is that we don't go after companies that treat data negligently. But while we can't easily stop muggings on the street, it is easy to stop mass theft of personal data from computer servers. The technology is there. It isn't very costly even. Companies just need to deploy it. And the only incentive for deploying it is if they face big risks and penalties when something goes wrong. Instead, banks keep deploying ASP on NT servers, don't use encryption to protect data, and don't bother keeping their systems up to date.
Absent some sort of immunity, the contractor is civilly liable for consequential losses to both the government and the individuals.
Yeah, and they'll pay up to individuals when hell freezes over. At best, they may play nice with the government because they want another contract.
They appear quite aware of this judging from their remedial steps, and they have plenty on the line without the government butting in with "penalties." At worst the company was negligent -- and we don't know that, either. There is not a thing in the articles suggesting TriWest was at fault. As it now stands they may be a mere victim.
I cannot construct a scenario in which the company could be a "mere victim". Anybody who has 500000 personal records stolen, in any shape or form, is almost by definition, negligent. At a minimum, the data should have been encrypted on disk with a key in volatile memory, so that if anybody walks off with the hardware, the data is useless. This is in addition to reasonable physical security--even for our rather non-secure data center, we have 24h guards and various alarms.
The only way I see in which the company could have been a "mere victim" is if they had been blackmailed into giving up the data and its cryptographic keys, under threat of death to hostages. That clearly didn't happen.
Large databases with diverse pieces of personal information one database with inadequate protection are just too attractive a target -- 500,000 social security numbers? The amount of money identity thieves can make from the sale of those ssns, and the damage done to individuals, is staggering. But will there be any penalty beyond a slap on the wrist for insufficient security?
To clear up a few misconceptions that I've seen from the posts:
HIPAA is now worded in such a way that it allows health care providers (and other "covered entities") to share medical information about a patient without consent for a number of reasons. The result is that information in your file may be shared with others without you ever finding out. The best place I've found for information on HIPAA is at the Health Privacy Project . Go to their page and do a search on "HIPAA" and you will find out everything you ever wanted to know about HIPAA.
HIPAA makes it easier to circulate information once gathered, but it is not itself a storage system. For a huge storage system, go check out the Medical Information Bureau (MIB) web site. They have a FAQ about what they do, what medical information they store, and who they share it with. MIB exists to prevent fraud (a good thing), but I'd sure like to know what their security is like.
Finally, for another reason to repeal HIPAA and decentralize information, read about the "Emergency Health Powers Act". Again, designed for good reasons, but could be applied in very heavy-handed ways. The Health Powers Act specifically shields companies from liability.
In win2k the key is stored on the same computer. It is protected from the wrong user getting to it but NTFS can be broken. If you happen to lose your key on win2k sure your fucked and nobody can help you but if you keep the key around someone else can get it as easily as you.
unzip; strip; touch; finger; mount; fsck; more; yes; unmount; sleep