Slashdot Mirror

← Back to Stories (view on slashdot.org)

Break-In Compromises 160k Medical Records At UC Berkeley

Posted by timothy on from the no-ivy-league-nudes-on-file-at-berkeley dept.

nandemoari writes "Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk. According to UC Berkeley, computer administrators determined on April 9, 2009 that electronic databases in University Health Services had been breached by overseas criminals. The breakins began in October 2008. Information contained on the breached databases included Social Security numbers, health insurance information, and non-treatment medical information such as records of immunization and names of treating physicians."

17 of 167 comments (clear)

  1. Duh.. by Anonymous Coward · · Score: 3, Insightful

    If it's connected to internet, it's just matter of time.

  2. Hackers or Crackers? by Anonymous Coward · · Score: 1, Insightful

    If they're infiltrating with malicious intent, I don't think 'hacker' is the proper term here...

    1. Re:Hackers or Crackers? by 0100010001010011 · · Score: 2, Insightful

      Did they get into the system with intricate knowledge of computer systems or did they brute force and crack a password or other encryption scheme?

      (bad) Hacker may be an appropriate term. Just as there are probably (good) hackers probably trying to figure out who did this.

    2. Re:Hackers or Crackers? by Culture20 · · Score: 4, Insightful

      If they're infiltrating with malicious intent, I don't think 'hacker' is the proper term here...

      Yeesh, give it a rest. Evil computer infiltrator is the predominately accepted definition for Hacker these days. No one calling you a Geek today thinks you bite the heads off small animals. In fact, Geek's etymology stems back to an old English word for "Fool", whereas today it means a smart, unliked person (although it's starting to lose the "unliked" portion of its definition with the rise of the ubiquitous computer culture). I predict in 20-40 years, "Hacker" will be synonymous with "Con-man" as more "crackers" shift into social engineering either in person or via email/IM...
      </feeding the troll>

  3. Auditing Logs by DigiWood · · Score: 5, Insightful

    Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?

    --


    Nothing is impossible. It just hasn't been figured out yet.
    1. Re:Auditing Logs by Z00L00K · · Score: 2, Insightful

      That's only reserved for a select few sites.

      Odd behavior is sometimes hard to distinguish from normal behavior, so you can't get everything. And in some cases the traffic volume is so large that it's not feasible to try to catch behavior patterns because the deed may be over at the time the analysis has finished.

      And then - many systems today lacks necessary logs and may even lack logs completely. That's all too common in those cost-pressed projects. Even if there is a log it's often incomprehensible unless you are the programmer.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    2. Re:Auditing Logs by Archangel+Michael · · Score: 4, Insightful

      Most "Systems Administrators" are people like me, who know enough to keep a wide variety of systems functioning, with little or no training, and are expected to spend a great deal of time and energy keeping the systems functioning ... all by themselves. The scope of responsibility of many of these "System Administrators" spans much further than auditing logs.

      I only WISH I had the time to audit logs, and make corrective actions. But our staff has 6000 PCs and three dozen (or more) servers that we have to keep running.

      Administration doesn't care about hackers until it is too late. They don't care about computers or keeping them running, until they are without. It is like all those people bitching and complaining when they don't have electricity for a day after a storm. They don't care what it takes to keep the juice flowing until it isn't.

      The old saying "don't fix it, if it ain't broke" runs many IT Depts.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  4. Brutal by lorenlal · · Score: 4, Insightful

    This is why a national requirement for EMR systems isn't a good idea right now. The staffers that have to take care of this (in light of recent events in Virginia) are getting hung out to dry either because they don't have the training, or the budget, or both to pull this of safely.

    This will always be an argument against EMR systems - How much harder is it to break into someone's office or a hospital and rip off *everyone's* data. Sure, you could break in, steal a few and then torch the building... But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves? And in the break in scenario, there's less stolen data. You're not walking out of a medial building with 160K charts... Or 8 Million in VA.

    1. Re:Brutal by sys.stdout.write · · Score: 2, Insightful

      It would seem to me that this would be an argument for a national EMR database. Instead of having thousands of individual databases, all with different levels of security and admin competence, we would have one.

    2. Re:Brutal by plover · · Score: 2, Insightful

      But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves?

      Stand the problem on its ear: what if this information were worthless to credit thieves? What if this information simply was no longer able to wreck someone's life?

      What we should do instead is make the paradigm of "name, address, SSN, etc.", valueless. Figure out a way to issue credit that wasn't strictly information based. One way would be to make the banks stop issuing credit by mail. If you physically had to walk into a secure building, and present credentials to someone trained to review them, credit fraud and identity theft would dramatically slow down.

      We stupidly keep putting up with this crap. Regardless of how much security burden we place on banks, stores, schools and hospitals, there are always going to be leaks. With so many millions of retailers that have little to no oversight, there statistically HAVE to be "weak spots." Always. We have to change the fundamentals if we're going to fix the real problem.

      --
      John
  5. Re:Time to live in secrecy by ewanm89 · · Score: 2, Insightful

    you also wouldn't have any proof identification or citizenship. No driving licence... And someone stated some health records were stolen in this case.

  6. And... by Random2 · · Score: 2, Insightful

    ...they left this information accessible to the public because?

    --
    "Our goal each year should be to increase the number of goals we set for ourselves!"
    1. Re:And... by Random2 · · Score: 2, Insightful

      But that's my point, why were they linked? Albeit more expensive, why not have a private server for just those databases, not connected to the internet? It seems like we need to worry about making our security better first so we don't have these problems. After all, removing the connection's the best way to stop someone hacking your computer.

      --
      "Our goal each year should be to increase the number of goals we set for ourselves!"
  7. Sometimes you need an air gap by davidwr · · Score: 5, Insightful

    It's not just military-grade information that needs protecting.

    If medical and financial information were warehoused in a way that required a "man in the middle" to approve a request, it might not prevent spear-fishing, and it might not prevent theft of "in use" data, but it would at least prevent wholesale data breaches from information warehouses.

    With a man-in-the-middle, you'd need to bribe or blackmail the man in the middle to allow a larger number of access requests to get through.

    For some systems, a man in the middle is overkill, alarms that trigger when there are more than a typical number of data requests is sufficient. However, automated alarms, like any automated system, can theoretically be compromised.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Sometimes you need an air gap by Hatta · · Score: 2, Insightful

      So when you go to the emergency room, how is the hospital supposed to query your electronic medical records at your family doctor when it's behind an air gap?

      --
      Give me Classic Slashdot or give me death!
  8. Re:This is a huge, everyday, constant problem. by 0100010001010011 · · Score: 2, Insightful

    Maybe we should stop making SSNs the end all be all of who we are.

  9. Maybe they aren't. Re:Sometimes you nee by davidwr · · Score: 2, Insightful

    If it's current, like allergies, summaries of chronic conditions that affect emergency and urgent health-care conditions, current prescription drugs you are taking, the names and pager numbers of your current doctors, and a current certification that you have current medical insurance that covers emergency and urgent care will probably be considered "current" and not "warehoused." These will be available 24/7, to both care-givers and to criminals who manage to compromise the system the data is stored in.

    However, the details of your bout with the flu 2 years ago or your recovery from your car accident 10 years ago won't be available without human assistance. Neither will the details of your insurance coverage.

    There is a balance that needs to be struck between "what could reasonably be so important it can't wait until normal business hours to access" and everything else. Only the former would be retrievable 24/7 without waiting for a person.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.