Slashdot Mirror

← Back to Stories (view on slashdot.org)

Break-In Compromises 160k Medical Records At UC Berkeley

Posted by timothy on from the no-ivy-league-nudes-on-file-at-berkeley dept.

nandemoari writes "Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk. According to UC Berkeley, computer administrators determined on April 9, 2009 that electronic databases in University Health Services had been breached by overseas criminals. The breakins began in October 2008. Information contained on the breached databases included Social Security numbers, health insurance information, and non-treatment medical information such as records of immunization and names of treating physicians."

5 of 167 comments (clear)

  1. Auditing Logs by DigiWood · · Score: 5, Insightful

    Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?

    --


    Nothing is impossible. It just hasn't been figured out yet.
    1. Re:Auditing Logs by Archangel+Michael · · Score: 4, Insightful

      Most "Systems Administrators" are people like me, who know enough to keep a wide variety of systems functioning, with little or no training, and are expected to spend a great deal of time and energy keeping the systems functioning ... all by themselves. The scope of responsibility of many of these "System Administrators" spans much further than auditing logs.

      I only WISH I had the time to audit logs, and make corrective actions. But our staff has 6000 PCs and three dozen (or more) servers that we have to keep running.

      Administration doesn't care about hackers until it is too late. They don't care about computers or keeping them running, until they are without. It is like all those people bitching and complaining when they don't have electricity for a day after a storm. They don't care what it takes to keep the juice flowing until it isn't.

      The old saying "don't fix it, if it ain't broke" runs many IT Depts.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  2. Brutal by lorenlal · · Score: 4, Insightful

    This is why a national requirement for EMR systems isn't a good idea right now. The staffers that have to take care of this (in light of recent events in Virginia) are getting hung out to dry either because they don't have the training, or the budget, or both to pull this of safely.

    This will always be an argument against EMR systems - How much harder is it to break into someone's office or a hospital and rip off *everyone's* data. Sure, you could break in, steal a few and then torch the building... But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves? And in the break in scenario, there's less stolen data. You're not walking out of a medial building with 160K charts... Or 8 Million in VA.

  3. Sometimes you need an air gap by davidwr · · Score: 5, Insightful

    It's not just military-grade information that needs protecting.

    If medical and financial information were warehoused in a way that required a "man in the middle" to approve a request, it might not prevent spear-fishing, and it might not prevent theft of "in use" data, but it would at least prevent wholesale data breaches from information warehouses.

    With a man-in-the-middle, you'd need to bribe or blackmail the man in the middle to allow a larger number of access requests to get through.

    For some systems, a man in the middle is overkill, alarms that trigger when there are more than a typical number of data requests is sufficient. However, automated alarms, like any automated system, can theoretically be compromised.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  4. Re:Hackers or Crackers? by Culture20 · · Score: 4, Insightful

    If they're infiltrating with malicious intent, I don't think 'hacker' is the proper term here...

    Yeesh, give it a rest. Evil computer infiltrator is the predominately accepted definition for Hacker these days. No one calling you a Geek today thinks you bite the heads off small animals. In fact, Geek's etymology stems back to an old English word for "Fool", whereas today it means a smart, unliked person (although it's starting to lose the "unliked" portion of its definition with the rise of the ubiquitous computer culture). I predict in 20-40 years, "Hacker" will be synonymous with "Con-man" as more "crackers" shift into social engineering either in person or via email/IM...
    </feeding the troll>