Slashdot Mirror
Break-In Compromises 160k Medical Records At UC Berkeley
nandemoari writes "Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk. According to UC Berkeley, computer administrators determined on April 9, 2009 that electronic databases in University Health Services had been breached by overseas criminals. The breakins began in October 2008. Information contained on the breached databases included Social Security numbers, health insurance information, and non-treatment medical information such as records of immunization and names of treating physicians."
If it's connected to internet, it's just matter of time.
If they're infiltrating with malicious intent, I don't think 'hacker' is the proper term here...
Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?
Nothing is impossible. It just hasn't been figured out yet.
Were the databases Microsoft-based?
"To err is human, to mod Funny divine."
This is why a national requirement for EMR systems isn't a good idea right now. The staffers that have to take care of this (in light of recent events in Virginia) are getting hung out to dry either because they don't have the training, or the budget, or both to pull this of safely.
This will always be an argument against EMR systems - How much harder is it to break into someone's office or a hospital and rip off *everyone's* data. Sure, you could break in, steal a few and then torch the building... But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves? And in the break in scenario, there's less stolen data. You're not walking out of a medial building with 160K charts... Or 8 Million in VA.
Surf on over to datalossdb.org and sub to the RSS feed. Something like this happens everyday, multiple times per day. The bad part is most of the time it's not hackers, it's employees that dump SSN's, DOB's, etc into the garbage or post them to the net. It's horrific. At least when hacker does it, it was done deliberately by someone with half a brain. Most of the time, it's clueless employees scattering our personal information about the grounds like it's fertilizer.
http://www.wired.com/threatlevel/2009/05/uc-berkeley-suffers-breach-of-student-health-data/
The email informing students of the breach was sent on May 8th. It was all over the news last Friday.
Between this hacking job, and the stolen records from the Virginia health services, and who knows how many other attacks, I'm thinking it might be a good idea to live "in secret" without any computer-based accounts of any kind. No bank accounts, no stock accounts, no credit cards other than maybe just one.
If you don't have these accounts, you won't be vulnerable to monetary or identity theft.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
...they left this information accessible to the public because?
"Our goal each year should be to increase the number of goals we set for ourselves!"
It's not just military-grade information that needs protecting.
If medical and financial information were warehoused in a way that required a "man in the middle" to approve a request, it might not prevent spear-fishing, and it might not prevent theft of "in use" data, but it would at least prevent wholesale data breaches from information warehouses.
With a man-in-the-middle, you'd need to bribe or blackmail the man in the middle to allow a larger number of access requests to get through.
For some systems, a man in the middle is overkill, alarms that trigger when there are more than a typical number of data requests is sufficient. However, automated alarms, like any automated system, can theoretically be compromised.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
How did they manage to not once mention what Operating System these 'computers' run on
davecb5620@gmail.com
The folks at Berkeley need to put up some "this room is a break-in free zone" signs so there are no more break-ins.
I mean, yeah its good that someone is reporting, but this sort of thing seems to be run of the mill these days. This sort of occurrence is happening more not less, to the point that security admins need to start taking this type of threat more seriously.
The musings of just another geek and his junk.
Smart money says that over the next five years, a whole lot of these people will be mysteriously refused insurance coverage, or be denied payment for "pre-existing conditions" that were never reported to their insurers...
'Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk'
When will there be a law that will either 1.) Fine a company for every social security number that is published/hacked/stolen (to the point that they either spend the money on security OR they STOP storing social security numbers/cc numbers), or 2.) make it illegal to store a social security number/credit card number? Lets say you are a university trying to give a student loan to a prospect. Sure, you need to run a credit inquiry and identity verification, but after that you give them a student ID to replace their SSN. Stop storing this information unless you are able to prove beyond a shadow of a doubt that you are able to secure this information.
"It would seem to me that this would be an argument for a national EMR database"
.. and who scored that nonsense up 'interesting'?
...
I totally agree
"This is why a national requirement for EMR systems isn't a good idea right now. The staffers that have to take care of this (in light of recent events in Virginia) are getting hung out to dry either because they don't have the training, or the budget, or both to pull this of safely"
Look, all it takes is to implement systems that are as secure as possible and some kind of irrevocable auditing capacity, as in you notice the hacking attempt, before it succeeds
So? It's not like there's any expectation of privacy. If the govt isn't expected to respect anyone's privacy, then surely one can't expect it of criminals.
I wish that were funny.
If it's current, like allergies, summaries of chronic conditions that affect emergency and urgent health-care conditions, current prescription drugs you are taking, the names and pager numbers of your current doctors, and a current certification that you have current medical insurance that covers emergency and urgent care will probably be considered "current" and not "warehoused." These will be available 24/7, to both care-givers and to criminals who manage to compromise the system the data is stored in.
However, the details of your bout with the flu 2 years ago or your recovery from your car accident 10 years ago won't be available without human assistance. Neither will the details of your insurance coverage.
There is a balance that needs to be struck between "what could reasonably be so important it can't wait until normal business hours to access" and everything else. Only the former would be retrievable 24/7 without waiting for a person.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
What an idiotic comment: Assuming that all H1b visa holders are fraudulent criminals. Americans, instead are all angels. Yeah, right. Come on, on the opposite of you, I actually work at UC Berkeley (and I am a US citizen). Most of the H1b are granted to researcher who are valued as an asset for the university. If the US education system would be better than what it is, you would see a much lower number of H1b visas at UC Berkeley.
Stop storing this information unless you are able to prove beyond a shadow of a doubt that you are able to secure this information.
Unfortunately, there is (and can be) no such proof. It's a part of the fundamentals of security: you can't prove a negative.
The way I see it, we really have three choices for protecting data:
The problem with the first approach is that's what we're all "supposed" to be doing, but obviously are not. With millions of sites and retailers etc., there are always going to be leaks.
The second solution is the easiest and best way to protect your organization. Why store the data if you don't need it? Do they really need my SSN in their database? They could use their own numbering system. Why do they need my address? If I'm in a hospital, I'm not at home, I'm in the bed in room 217C -- if they want to find me, I'm right there. Do they even need my name? Why do they need all these different identifiers, and why do they need to tie them all together in a common database?
The third option requires a fundamental change in how credit is granted, but is the one of the best approaches to stem the tide of data thefts across the board. While it would remove incentive to steal the data for financial reasons, it would do little to protect against data theft for other reasons (perhaps a list of HIV-positive patients could be used for extortion: pay me a million dollars or I post it on the web.)
These approaches are not mutually exclusive. We can employ them all at the same time. It's just that it has to be done, and without tools like lawsuits or other punishments, few organizations are doing them.
John
If you detonate a nuclear bomb in Berkeley, you could be fined up to $500 and go to jail for thirty whole days.
No, I am not kidding.
thankfully my full medical record is only 96k, so it's safe.
A fourth would be separation of data onto different databases on different servers. If social security numbers are not needed, have those stored in a smaller armored database that doesn't connect to the Web. Instead, use another number.
This way, if an application needs information, it can grab what it needs, but no more.
Yes more Visa's can be a problem ... I am such and idoit! I though you were talking about Visa Credit Cards.
Seriously, I'm from Canada and I had no idea what a H1b visa is. Americans have a similar situation to Canadians, we live in a good country, where we grant visas many foriegn workers and students. The best and brightest leave for greener pastures. The Brain Drain as it's called is more a problem for the countries over seas, as the loss of those people has a larger effect to thier native economy.
It's a shame that our people don't want higher educations to work in a high-tech field. Many of the people who I know that didn't attend college work in the Oil Patch, choosing short term returns over education. Of course now that oil is at $55/ barrel their not working anymore.
I am not a nerd, I just play one in real life. My avatar thinks I'm a total loser.
My SSN was in the 160k :-/ Just spent the last 30mins signing on to Experian to put a fraud alert on my account. Anyone understand whether this is good or not? Should I do something else? Also, I see that a freeze will cost $10. Berkeley isn't shelling out for this. It sucks, this is not my fault, some idiots left some ports open and now it's my problem and I don't see much of a concerted response from Berkeley to drive the protection from their end, they do have a website and telephone hotline but I have to do all the running around... wonderful. SSN's suck...
[M]y solution: The Social Security Administration announces that on July 1st, 2010, all SSNs and the names they are associated with will be published and available to everyone. Leave it up to the finance and health care industries to stop using SSNs as authentication.
I love this solution! The Social Security Administration always said the number was not to be used for identification. This would prove they meant it.
Credit suffers from the same problem, by the way. We use the account number as the account to charge as well as the authorization to charge. If we used a different value for authorizing (such as one generated on a smart credit card) there would be no need to protect account numbers, other than simple privacy.
John
And I have the SSNs to prove it!
Do you really want to say there is no connection between recruiting technical workers upon whom no effective background check can be done and security breaches?
I think the question should at least be examined closely. Enron BTW made some rather strange investments in India-and was an H-1b intensive shop.
Noone has done a comprehensive analysis here-in part because the companies that bought H-1b legislation have specifically made reporting standards inadequate for such an analysis.
I don't think most H-1b workers are involved in fraud-but if the H-1b program only allows a few terrorists or criminal organizations to put a few people in place that way-that is enough to cause big problems.
I don't think anyone upon whom a good background check can't be done should be allowed anywhere near sensitive data or critical infrastructure. Workers from Japan, Singapore, the EU can be given real background checks. Workers from more corrupt countries simply cannot.
First off, I NEVER said all H-1b workers are criminals. I said it is impossible to do a background check on workers from India-or other similarly corrupt countries.
Every US worker could be replaced by workers from India or China at less than 25% of current costs. Does that mean they should be?
We will never see more US workers going into technical professions as long as those occupations are provided immigration preferences at no cost to the employers-and there thus will be little incentive to improve the US educational system or invest in advanced education for Americans.
Some states like California do punish companies who have a security breach involving Credit Card numbers and SSNs.
2.) make it illegal to store a social security number/credit card number?
If credit card numbers are hosted by your company, the company is probably subject to the rules established by the PCI Security Standards Council (See https://www.pcisecuritystandards.org/ ). If your business does not comply, the Payment Card Industry will now allow you to process financial transactions, or they will limit the amount of money your business can handle. These rules apply to any systems which touch the Credit Card numbers, even if the numbers are not permanently hosted on the systems.
The problem with implementing PCI DSS rules is mostly institutional, political and financial. It takes time, effort, equipment and money to bring a non-compliant business into compliance, and staff and management will often object to some of the rules ("But I need root access on the database server. It makes my life easier."), or they don't understand different aspects of security ("We have a firewall. That means we're protected, right?") In addition, many of the PCI rules are purposely vague to apply to a wide range of systems. They are subject to interpretation. You may believe one thing, but your PCI auditor may disagree, and a second PCI auditor may believe something else entirely.
I believe there are similar rules for Social Security Numbers.
"Can of worms? The can is open... the worms are everywhere."
Actually, I believe it's just "nuclear free zone", reflecting a ban on both nuclear weapons and nuclear power.
I heard a chemistry professor suggest that this means that the atoms there weren't allowed to have nuclei. My theory is that everyone who lives there is a prokaryote.
Actually, the nuclear free zone goes great with those "Drug Free Zone" signs you sometimes see. No joking, there's actually one on Telegraph Avenue. Of course, the standard interpretation is "Free Drug Zone". Perhaps the maintenance guys were just high. Thank you, I'll be here all week...
Start looking for a class action suit now. It's gross negligence to store this information on an internet-connected machine, which is indeed what happened here. (Split the database and front end, fools. At least that raises the bar slightly.)
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Have we arrived at a point where the average person is better off having had their identity stolen? With so much identity theft having taken place and, perhaps, a great deal of stolen identities unreported, wouldn't one be better served having had their identity stolen. Being able to establish that one's identity has been stolen may be the most expeditious defense against actions brought resulting from stolen identity. There's security in numbers, unless of course those numbers are stored on a computer.
ideopath @ play
how long will it be before we can stop relying on something as easy to get as a social security number as a unique identifier?
Are you serious? They're not trying to save a few bucks on the support staff -- that's what students are for. They have a large number of international employees because they hire researchers, lecturers, and professors from overseas to promote the exchange of ideas across cultures. Since that is, you know, the entire point of a university.
It is you that should be investigated for criminal dipshittery.
It already is. California has a law (SB 1386) that has been in effect since 2003 concerning the responsibility of companies and government agencies to keep their databases secure and to publicly report any breach of confidential personal information within 30 days of the incident.
Full text of the bill is here: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
There are no fines imposed, but the public humiliation of having to admit that they lost data can cost a company plenty. And the company is held responsible for making sure that the people whose information was lost/stolen/compromised are fully compensated for any money they lost as a result of the breach. And they have to alert all the credit reporting agencies that everyone in the database whose information was compromised gets a Free Credit Report and can freeze their own credit report from all public access for any length of time until they choose to lift the freeze.
That by itself is a pretty serious penalty. If you want to impose a fine for every SSN compromised, every company that has any kind of a breach is going to go bankrupt. As if we don't have enough companies going bankrupt just as a consequence of the lousy economy, let alone due to a security breach.
It was at risk before before it was infiltrated. Now the loss has been guaranteed.
Never go to sea with two chronometers; take one or three.
The federal government has already granted insurance companies carte blanch to your medical records. The fact this is sanctioned by the government is corrupt and despicable, nonetheless no criminal element can harm you more than these insurance companies can, so this "theft" is a non-event.
Meanwhile, i'll continue to be denied all coverage because of crohns disease, which is not related to lifestyle, while people with obesity related diabetes and hypertension continue to readily receive it.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
It is already illegal, because this was medical data. For allowing this data to escape, UCB is subject to civil monetary penalties under HIPAA. These penalties go at $100 per violation, which means they'd theoretically owe $16,000,000. Unfortunately, the penalty is capped at $25,000 per year, so it's going to be a drop in the bucket.
Now, if the data was compromised knowingly by an employee of the University, then that employee as well as the university would be subject to criminal fines of up to $250,000 and up to ten years prison time. But that's probably not the case here.
"It's a shame that our people don't want higher educations to work in a high-tech field. Many of the people who I know that didn't attend college work in the Oil Patch, choosing short term returns over education."
If you are starting out in India or Pakistan, there is a huge incentive to get Canadian or US citizenship. If someone already had citizenship rights, the additional payoff from getting a technical education is minimal. The way Singapore handles this:
a company can get all the foreign workers they want-quickly, but they will pay 2-3 times as much in taxes as the wages they pay those workers. I also don't think Singapore would let foreigners manager critical infrastructure without very careful consideration.
It is certainly true that applying equally rigorous background checks to all applicants would have disparate impact on foreigners.
Seastead this.
If your country doesn't have the right people for the Job you have to hire people from other countries. One of the problems is that US and Canadian workers get paid too much for menial work. I'm an engineer and I get paid well for what I do, but many workers at GM plants in the US make more an hour than I do. Some of that is due to the exchange rate, but the cost of living in most US states is less than here.
I am not a nerd, I just play one in real life. My avatar thinks I'm a total loser.
It was probably students on campus using Tor.
Those who know, do not speak. Those who speak, do not know. ~Lao Tzu
I thought it meant BSD software distribution.
Crap. What did the new CSS do with the "Post anonymously" option??
First off, I NEVER said all H-1b workers are criminals. I said it is impossible to do a background check on workers from India-or other similarly corrupt countries.
No. What you said is:
The management of UC Berkeley should be investigated for criminal negligence.
Now tell me this: why UC Berkeley should be held responsible for something EVENTUALLY the federal government should have done? Or better: should UC Berkeley completely give up in immigrants and rely on subpar American educated professional? Or again: Should UC Berkeley have better security to monitor everybody (Americans and not) within itself to prevent this to happen? Or is it just easier to blame the "undocumented foreigners" (here in the sense of people without background checks...)
"You can't foolproof a public facing system..."
I think if you look, the economic protections for unskilled workers are considerably greater in Japan, Singapore, South Korea-and those are all highly competitive economies without a trade deficit or massive government borrowing-and they don't have the huge resource base the US has.
The folks in the US that are most highly paid relative to world standards and US median income are corporate executives, some folks in protected professions(Japan has a tiny fraction of the attorneys the US has) and some occupations like entertainers. The very wealthy in the US are enormously coddled by international standards relative to the economic base in the US. US doctors make quite a bit more than French doctors-and the US arguably has worse health care.
The area in which there was potential negligence was allowing any workers on which a good background check cannot be done to manage data that is highly confidential. There is a contradiction between US Hippa regulations on the management of confidential information and US regulations that tend to discourage background checks. I think this sort of thing happened much less regularly when background checks were more a fact of life in the US for any management of sensitive data in government institutions(that has been greatly curtailed in recent years).
I have reservations about the US relying heavily on foreigners for occupations requiring graduate training in general-I think we should instead pay CEO's less, have fewer attorney and accountants and make positions that require substantial training more viable for Americans. I wouldn't object to a smaller better managed program similar to Singapore does-I just don't think the current mass system is desirable or sustainable.
Anyhow, I see no evidence that US professionals have historically been subpar. The expansion of H-1b has not be accompanied by massive increase in US wages or even shareholder equity. I don't see that the US is more a technical leader than it was pre-H-1b.
I think you'll find those categorizations are not entirely accurate if they were examined carefully. H-1b visas by research and educational institutions are exempt from the cap-and I think there is a tendency to classify visas as "educational" for those purposes.
UC Berkeley is a public institution with obligations to support the public interest. The real question here is how the people of California really benefit by having an institution that is more international vs. one that isn't.
I agree there are cases in which it is warranted to award visas. Usually it is being done simply because it seems cheaper to University to hire a foreigner to develop local talent. On the whole, Ph.D level jobs pay pretty poorly in the US because there is a huge pool of foreign Ph.D. folks that want to get into the US(which gets 10 Million applications for immigration rights each year).
When possible, I do think it is often better for US students to have instructors that come from a similar cultural background-particularly for earlier courses where communication skills are important. I understand the need to learn to deal with other cultures-but I think that is best done when folks have a solid base. I also understand that sometimes literally the only people that know something are foreigners--and when that is the case, I think visas are warranted _for purposes of developing local talent.
The problem is the US is no longer developing local talent because the US has made all but a few professions requiring advanced training rather unattractive to Americans.