Slashdot Mirror
Break-In Compromises 160k Medical Records At UC Berkeley
nandemoari writes "Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk. According to UC Berkeley, computer administrators determined on April 9, 2009 that electronic databases in University Health Services had been breached by overseas criminals. The breakins began in October 2008. Information contained on the breached databases included Social Security numbers, health insurance information, and non-treatment medical information such as records of immunization and names of treating physicians."
If it's connected to internet, it's just matter of time.
If they're infiltrating with malicious intent, I don't think 'hacker' is the proper term here...
Don't hire computer security people from California, they seem to have all the break ins.
Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?
Nothing is impossible. It just hasn't been figured out yet.
Were the databases Microsoft-based?
"To err is human, to mod Funny divine."
This is why a national requirement for EMR systems isn't a good idea right now. The staffers that have to take care of this (in light of recent events in Virginia) are getting hung out to dry either because they don't have the training, or the budget, or both to pull this of safely.
This will always be an argument against EMR systems - How much harder is it to break into someone's office or a hospital and rip off *everyone's* data. Sure, you could break in, steal a few and then torch the building... But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves? And in the break in scenario, there's less stolen data. You're not walking out of a medial building with 160K charts... Or 8 Million in VA.
Surf on over to datalossdb.org and sub to the RSS feed. Something like this happens everyday, multiple times per day. The bad part is most of the time it's not hackers, it's employees that dump SSN's, DOB's, etc into the garbage or post them to the net. It's horrific. At least when hacker does it, it was done deliberately by someone with half a brain. Most of the time, it's clueless employees scattering our personal information about the grounds like it's fertilizer.
http://www.wired.com/threatlevel/2009/05/uc-berkeley-suffers-breach-of-student-health-data/
The email informing students of the breach was sent on May 8th. It was all over the news last Friday.
Between this hacking job, and the stolen records from the Virginia health services, and who knows how many other attacks, I'm thinking it might be a good idea to live "in secret" without any computer-based accounts of any kind. No bank accounts, no stock accounts, no credit cards other than maybe just one.
If you don't have these accounts, you won't be vulnerable to monetary or identity theft.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
It sounds like someone stole the plot to The Cuckoo's Egg, which is a real life story of overseas hackers using UC Berkley's computers to infiltrate military computers rather than medical data.
It wouldn't surprise me if this was an inside job to help get funding and laws through congress in order to consolidate medical records in the hands of the government.
Not surprisingly this comes soon after the NAS said we need to establish a policy of committing cyber attacks against "enemies."
http://www.google.com/search?hl=en&q=nas+cyber+attack
...they left this information accessible to the public because?
"Our goal each year should be to increase the number of goals we set for ourselves!"
It's not just military-grade information that needs protecting.
If medical and financial information were warehoused in a way that required a "man in the middle" to approve a request, it might not prevent spear-fishing, and it might not prevent theft of "in use" data, but it would at least prevent wholesale data breaches from information warehouses.
With a man-in-the-middle, you'd need to bribe or blackmail the man in the middle to allow a larger number of access requests to get through.
For some systems, a man in the middle is overkill, alarms that trigger when there are more than a typical number of data requests is sufficient. However, automated alarms, like any automated system, can theoretically be compromised.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
How did they manage to not once mention what Operating System these 'computers' run on
davecb5620@gmail.com
The folks at Berkeley need to put up some "this room is a break-in free zone" signs so there are no more break-ins.
I mean, yeah its good that someone is reporting, but this sort of thing seems to be run of the mill these days. This sort of occurrence is happening more not less, to the point that security admins need to start taking this type of threat more seriously.
The musings of just another geek and his junk.
Smart money says that over the next five years, a whole lot of these people will be mysteriously refused insurance coverage, or be denied payment for "pre-existing conditions" that were never reported to their insurers...
'Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk'
When will there be a law that will either 1.) Fine a company for every social security number that is published/hacked/stolen (to the point that they either spend the money on security OR they STOP storing social security numbers/cc numbers), or 2.) make it illegal to store a social security number/credit card number? Lets say you are a university trying to give a student loan to a prospect. Sure, you need to run a credit inquiry and identity verification, but after that you give them a student ID to replace their SSN. Stop storing this information unless you are able to prove beyond a shadow of a doubt that you are able to secure this information.
"It would seem to me that this would be an argument for a national EMR database"
.. and who scored that nonsense up 'interesting'?
...
I totally agree
"This is why a national requirement for EMR systems isn't a good idea right now. The staffers that have to take care of this (in light of recent events in Virginia) are getting hung out to dry either because they don't have the training, or the budget, or both to pull this of safely"
Look, all it takes is to implement systems that are as secure as possible and some kind of irrevocable auditing capacity, as in you notice the hacking attempt, before it succeeds
So? It's not like there's any expectation of privacy. If the govt isn't expected to respect anyone's privacy, then surely one can't expect it of criminals.
I wish that were funny.
Berkeley has these old "Nuclear Weapons Free Zone" signs all over.
The University of California at Berkeley is also a heavy user of H-1b visas. The last 8 year, UC Berkeley has applied for 977 H-1b Visas. It isn't clear how many of these related to their computer staff-but traditionally about half of all H-1b visas are used for that purpose. It is simply not credible to bring numerous foreign workers from places where you can't even reliably do a background check(people are regularly declared dead in India and simply can't sort it out) and expect to maintain any semblance of security.
The management of UC Berkeley should be investigated for criminal negligence.
Colleagues,
We want to let you know that today the campus is sending notification letters and emails to members of our community to inform them of a computer breach that resulted in the theft of personal information from databases in our University Health Services, UHS, area.
The victims of this crime are current and former students, as well as their parents and spouses if linked to insurance coverage, who had UHS health care coverage or received services. We are also sending notification letters to Mills College students who received, or were eligible to receive, healthcare on the UC Berkeley campus.
We sincerely regret and apologize for any difficulty this theft may create for individuals who may have had their personal information exposed. We have alerted campus police detectives and the FBI, and are doing all that we can to investigate this crime. All of the exposed databases were immediately removed from service to make sure that they would be completely protected from any future attacks.
Those individuals directly affected by the theft will receive letters with detailed information on steps that they can take to protect their credit and identity. We have launched a dedicated web site, http://datatheft.berkeley.edu that contains detailed information for affected individuals, the media and the general public. In addition a Data Theft Hotline, 888-729-3301 will be operating 24 hours a day, 7 days a week to answer questions from affected individuals.
UC Berkeley computer administrators determined on April 21 that electronic databases in UHS had been breached and data stolen by overseas criminals. The databases stored personally identifiable information used for billing such as Social Security numbers, and non-treatment medical information such as immunization history, UHS medical record numbers, dates of visits or names of providers seen, or for participants in the Education Abroad Program, certain information from the self-reported health history.
Please be assured that UHS electronic medical records, which include details of patients diagnoses~, treatments and therapies, are stored in a separate system and were not affected in this incident.
To ensure that we fully understand the nature of the security breach and to determine the steps that we can take to minimize the risk of a reoccurrence, the university has hired an outside auditor, Price Waterhouse Coopers, to support our ongoing investigation of the incident. The campus is committed to implementing recommendations that address the root causes of this security breach.
Steve Lustig
Associate Vice Chancellor
Health and Human Services
Shelton Waggener
Associate Vice Chancellor & CIO
Information Services & Technology
If it's current, like allergies, summaries of chronic conditions that affect emergency and urgent health-care conditions, current prescription drugs you are taking, the names and pager numbers of your current doctors, and a current certification that you have current medical insurance that covers emergency and urgent care will probably be considered "current" and not "warehoused." These will be available 24/7, to both care-givers and to criminals who manage to compromise the system the data is stored in.
However, the details of your bout with the flu 2 years ago or your recovery from your car accident 10 years ago won't be available without human assistance. Neither will the details of your insurance coverage.
There is a balance that needs to be struck between "what could reasonably be so important it can't wait until normal business hours to access" and everything else. Only the former would be retrievable 24/7 without waiting for a person.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Social security numbers were stolen, and some data about which doctors had been referred. However, it specifically says that medical records were stored on a different system, which was not compromised.
For the past several years, the management of university IT departments throughout the country have been more concerned with ITLP than they have been about providing reliable AND secure service.
The engineers who dare to point out that the emperor has no clothes are outshouted at once, and their names recorded for the next round of layoffs.
I am personally familiar with a HUGE security vulnerability involving SSNs at a very large and well-known university. The problem has existed for years, but management takes the approach of "we haven't had a breach, therefore we are secure" then pats itself on the back and gives itself a raise.
Windows or a BSD flavor?
From http://berkeley.edu/news/media/releases/2009/05/08_breach.shtml :
"The attackers accessed a public Web site and subsequently bypassed additional secured databases stored on the same server."
What idiot stores a database with sensitive info on a public webserver?????
2.) make it illegal to store a social security number/credit card number?
That's not the heart of the problem. There is nothing magical about a SSN beyond being a useful unique identifier to distinguish John Doe from John Doe.
The problem is that SSNs get used for both identification AND authentication!
>Hi, I want a credit card
-Name please?
>John Doe from NYC, NY
-Um, which John Doe? Is there some piece of information that uniquely identifies you?
>John Doe, SSN 123-45-6789
-We need to verify that you are actually this person. Is there some private information that you would never tell anyone and only you know?
>Well, my SSN is 123-45-6789
-Very good. Since obviously that's such a complicated and secret 9-digit number, you must obviously be who you say you are. Here's your new credit card.
y solution: The Social Security Administration announces that on July 1st, 2010, all SSNs and the names they are associated with will be published and available to everyone. Leave it up to the finance and health care industries to stop using SSNs as authentication.
Stop storing this information unless you are able to prove beyond a shadow of a doubt that you are able to secure this information.
Unfortunately, there is (and can be) no such proof. It's a part of the fundamentals of security: you can't prove a negative.
The way I see it, we really have three choices for protecting data:
The problem with the first approach is that's what we're all "supposed" to be doing, but obviously are not. With millions of sites and retailers etc., there are always going to be leaks.
The second solution is the easiest and best way to protect your organization. Why store the data if you don't need it? Do they really need my SSN in their database? They could use their own numbering system. Why do they need my address? If I'm in a hospital, I'm not at home, I'm in the bed in room 217C -- if they want to find me, I'm right there. Do they even need my name? Why do they need all these different identifiers, and why do they need to tie them all together in a common database?
The third option requires a fundamental change in how credit is granted, but is the one of the best approaches to stem the tide of data thefts across the board. While it would remove incentive to steal the data for financial reasons, it would do little to protect against data theft for other reasons (perhaps a list of HIV-positive patients could be used for extortion: pay me a million dollars or I post it on the web.)
These approaches are not mutually exclusive. We can employ them all at the same time. It's just that it has to be done, and without tools like lawsuits or other punishments, few organizations are doing them.
John
thankfully my full medical record is only 96k, so it's safe.
A fourth would be separation of data onto different databases on different servers. If social security numbers are not needed, have those stored in a smaller armored database that doesn't connect to the Web. Instead, use another number.
This way, if an application needs information, it can grab what it needs, but no more.
[M]y solution: The Social Security Administration announces that on July 1st, 2010, all SSNs and the names they are associated with will be published and available to everyone. Leave it up to the finance and health care industries to stop using SSNs as authentication.
I love this solution! The Social Security Administration always said the number was not to be used for identification. This would prove they meant it.
Credit suffers from the same problem, by the way. We use the account number as the account to charge as well as the authorization to charge. If we used a different value for authorizing (such as one generated on a smart credit card) there would be no need to protect account numbers, other than simple privacy.
John
Everytime I connect to a corporate server, I discover unpatched software or expired self-signed certificates, md5 in place where sha1 could be used and many other flaws. No wonder there are breaches and information leaks as well as new hacked servers every day. Almost nobody cares about security and Conficker proves that by automatically infecting millions.
And I have the SSNs to prove it!
Berkeley? Home of "information wants to be free" (as in beer).
.
No news here. I thought that is the norm there!
Some states like California do punish companies who have a security breach involving Credit Card numbers and SSNs.
2.) make it illegal to store a social security number/credit card number?
If credit card numbers are hosted by your company, the company is probably subject to the rules established by the PCI Security Standards Council (See https://www.pcisecuritystandards.org/ ). If your business does not comply, the Payment Card Industry will now allow you to process financial transactions, or they will limit the amount of money your business can handle. These rules apply to any systems which touch the Credit Card numbers, even if the numbers are not permanently hosted on the systems.
The problem with implementing PCI DSS rules is mostly institutional, political and financial. It takes time, effort, equipment and money to bring a non-compliant business into compliance, and staff and management will often object to some of the rules ("But I need root access on the database server. It makes my life easier."), or they don't understand different aspects of security ("We have a firewall. That means we're protected, right?") In addition, many of the PCI rules are purposely vague to apply to a wide range of systems. They are subject to interpretation. You may believe one thing, but your PCI auditor may disagree, and a second PCI auditor may believe something else entirely.
I believe there are similar rules for Social Security Numbers.
"Can of worms? The can is open... the worms are everywhere."
Come to Canada where by law the only two entities require your Social Security Number - The government and your employer. That is it. Many provinces strictly forbid any one other than the government and employer from asking for or using your SSN.
I did a project with a medical insurance benefits system where we had to scrub the database of all SSN. We just had to send the taxable benefits papers to the client and they had to submit them to the government. The insurance company was not allowed any access by provincial law to have or use the SSN in any way.
As I understand it in the US any finical transaction can require collection of your Social Insurance Number. I once heard that technically, which is the best kind of right, a 7-11 employee could demand your SIN when you buy your Slurpee.
Have we arrived at a point where the average person is better off having had their identity stolen? With so much identity theft having taken place and, perhaps, a great deal of stolen identities unreported, wouldn't one be better served having had their identity stolen. Being able to establish that one's identity has been stolen may be the most expeditious defense against actions brought resulting from stolen identity. There's security in numbers, unless of course those numbers are stored on a computer.
ideopath @ play
how long will it be before we can stop relying on something as easy to get as a social security number as a unique identifier?
I dont give a damn if some random criminals have access to my medical records. The organized criminals at blue cross, aetna, and other medical insurance companies already have full access, and deny me all coverage based on my crohns disease while people with obesity related diabetes,hypertension, and asthma still get covered.
Until laws are passed forbidding insurance companies from ducking rather than sharing risk I just dont give a damn who has my medical records, because they can't hurt me any more than the insurance companies, who already have access, can.
It already is. California has a law (SB 1386) that has been in effect since 2003 concerning the responsibility of companies and government agencies to keep their databases secure and to publicly report any breach of confidential personal information within 30 days of the incident.
Full text of the bill is here: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
There are no fines imposed, but the public humiliation of having to admit that they lost data can cost a company plenty. And the company is held responsible for making sure that the people whose information was lost/stolen/compromised are fully compensated for any money they lost as a result of the breach. And they have to alert all the credit reporting agencies that everyone in the database whose information was compromised gets a Free Credit Report and can freeze their own credit report from all public access for any length of time until they choose to lift the freeze.
That by itself is a pretty serious penalty. If you want to impose a fine for every SSN compromised, every company that has any kind of a breach is going to go bankrupt. As if we don't have enough companies going bankrupt just as a consequence of the lousy economy, let alone due to a security breach.
It was at risk before before it was infiltrated. Now the loss has been guaranteed.
Never go to sea with two chronometers; take one or three.
The federal government has already granted insurance companies carte blanch to your medical records. The fact this is sanctioned by the government is corrupt and despicable, nonetheless no criminal element can harm you more than these insurance companies can, so this "theft" is a non-event.
Meanwhile, i'll continue to be denied all coverage because of crohns disease, which is not related to lifestyle, while people with obesity related diabetes and hypertension continue to readily receive it.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
"Administration doesn't care about hackers until it is too late" - by Archangel Michael (180766) on Tuesday May 12, @01:22PM (#27924375)
Damn straight, & it cost me a job once in 2006: I was hired by a company called POMCO in Syracuse N.Y. to help secure their codebases done in VB6 (some of which we transitioned over to VB.NET because of its capacities for server-side apps mostly & built-in garbage cleanup) to scramble out SS#'s & such... I completed 3-4 apps in 7 months there... but?
Later, I discovered they were NOT securing down the "end points" (workstations, printers, etc. et al) fully, per this type of procedure outlined in this guide, to supplement work I & the others devs had done to the apps AND webservers + DB engines (SQLServer):
----
HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, + make it 'fun-to-do', via CIS Tool Guidance (& beyond):
http://www.tcmagazine.com/forums/index.php?s=2ccbde62be4c73b6d069d86d5cf90200&showtopic=2662
----
I suggested that to be done, FIRST, on a "prototype" system!
(To be sure ALL of our apps would work using it (they did, @ least all the ones I worked on, because I eventually did my workstation that way @ their shop & ALL still worked), then "mass deploy" the settings using AD Group Policies &/or logon scripts (merging .reg files etc. et al)).
So, upon discovering this?
I went to the CIO first, privately, telling him:
"This needs doing as well as securing down code & DB's! IF you don't? It WILL eventually get you "keylogged" most likely due to user error in unawareness of the dangers present online. Educate them all about it, in a meeting @ some point is the way to go! Simply, because all the security in the world won't help once the user's passwords are 'sniffed' out upon logon (to their workstations &/or DB backends through the front ends we devs built for they)".
I also used users to consult on the design of apps we built or rebuilt for they, which proved a TOTALLY "new wrinkle" for them, because the main user of one of the apps was in our morning meeting we had once a week and actually THANKED ME for it!
(The sad part? The others developers, not all, but the main one? Literally called them "STUPID", & I was like "You're the stupid one: Those people, first of all, know THEIR JOBS far better than we do, & THEY KNOW WHAT THEY WANT TO SEE & USE... plus? They're the reason WE HAVE A JOB IN THE FIRST PLACE!". This was a 6 yr. developer leading that shop, & it showed, especially w/ THAT attitude towards his users - his work was also quite shoddy, lacking error traps & wasn't 'automated' enough... so much so, that I had to run one of his 'apps' daily, costing me 30 hrs. a month in MY TIME as a junior dev. there (though I had 15 yrs. under my belt as a pro in this field, with VB/C/C++/Fortran/COBOL/Assembler & more under my belt by that time, I was still the "new kid on the block" learning their data schema, which was NOT puny (insurance company data never is))).
What happened in the end? Well, I found a virus on my system, after asking "Are you monitoring me with somekind of application", they said "NO", so I showed it to them... turns up, it was a virus (keylogger) & I wasn't the ONLY person who had it...
I later found out the CIO (stupid MSCE type, no real years to decades of hands on experience in this field either, probably a relative of the owner or buddy of a higher up in that company is my guess) had setup TREND MICRO's antivirus ALL WRONG... 7 months out of date is what the signatures were... it was USELESS at that point against current threats.
They swiftly went to AVG free edition, & knowing the CIO there? He probably didn't license it legally...
(Which, I am sure, that AVG would like to "get wind
It is already illegal, because this was medical data. For allowing this data to escape, UCB is subject to civil monetary penalties under HIPAA. These penalties go at $100 per violation, which means they'd theoretically owe $16,000,000. Unfortunately, the penalty is capped at $25,000 per year, so it's going to be a drop in the bucket.
Now, if the data was compromised knowingly by an employee of the University, then that employee as well as the university would be subject to criminal fines of up to $250,000 and up to ten years prison time. But that's probably not the case here.
It was probably students on campus using Tor.
Those who know, do not speak. Those who speak, do not know. ~Lao Tzu
I thought it meant BSD software distribution.
Crap. What did the new CSS do with the "Post anonymously" option??
Is it just me or should we just accept that SSN is no longer sufficient for identifying an individual? Why are we spending millions (billions?) of dollars to secure a name and number?
My identity has been stolen three times and it's never been more an a minor inconvenience. - "No, I didn't rent-to-own that new refrigerator." Why are the companies that issue credit still accepting this a the only required form of identification. It's lazy.
I like how it is mentioned that the break in put the records at risk. If someone managed to break in weren't the records at risk already before the break in?
... and we want to make more of our info available online??
So, on (what should be) secure systems that contain SSNs, they do not check the logs for *5 months*, do not have any sort of intrusion detection system looking for odd activities, like, you know, your database being sent off your network? Bloody hell.
I think that *is* probably the case here. I work as a systems administrator in a small department at UC Berkeley. The university has been quite clear in communicating to employees the meaning of California law (SB 1386). Specifically, all departments and institutions on campus received repeated notices and instruction on purging any non-encrypted personal identification data (SSNs, credit card numbers) from campus computers.
Heads really should roll on this one, at both staff and managerial levels. The compromise happened with full knowledge of the requirements under the law.
seemed pretty rhetorical to me. would you care to question my judgment some more?
"You can't foolproof a public facing system..."