Slashdot Mirror
Break-In Compromises 160k Medical Records At UC Berkeley
nandemoari writes "Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk. According to UC Berkeley, computer administrators determined on April 9, 2009 that electronic databases in University Health Services had been breached by overseas criminals. The breakins began in October 2008. Information contained on the breached databases included Social Security numbers, health insurance information, and non-treatment medical information such as records of immunization and names of treating physicians."
If it's connected to internet, it's just matter of time.
Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?
Nothing is impossible. It just hasn't been figured out yet.
This is why a national requirement for EMR systems isn't a good idea right now. The staffers that have to take care of this (in light of recent events in Virginia) are getting hung out to dry either because they don't have the training, or the budget, or both to pull this of safely.
This will always be an argument against EMR systems - How much harder is it to break into someone's office or a hospital and rip off *everyone's* data. Sure, you could break in, steal a few and then torch the building... But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves? And in the break in scenario, there's less stolen data. You're not walking out of a medial building with 160K charts... Or 8 Million in VA.
Surf on over to datalossdb.org and sub to the RSS feed. Something like this happens everyday, multiple times per day. The bad part is most of the time it's not hackers, it's employees that dump SSN's, DOB's, etc into the garbage or post them to the net. It's horrific. At least when hacker does it, it was done deliberately by someone with half a brain. Most of the time, it's clueless employees scattering our personal information about the grounds like it's fertilizer.
http://www.wired.com/threatlevel/2009/05/uc-berkeley-suffers-breach-of-student-health-data/
The email informing students of the breach was sent on May 8th. It was all over the news last Friday.
Between this hacking job, and the stolen records from the Virginia health services, and who knows how many other attacks, I'm thinking it might be a good idea to live "in secret" without any computer-based accounts of any kind. No bank accounts, no stock accounts, no credit cards other than maybe just one.
If you don't have these accounts, you won't be vulnerable to monetary or identity theft.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Did they get into the system with intricate knowledge of computer systems or did they brute force and crack a password or other encryption scheme?
(bad) Hacker may be an appropriate term. Just as there are probably (good) hackers probably trying to figure out who did this.
...they left this information accessible to the public because?
"Our goal each year should be to increase the number of goals we set for ourselves!"
It's not just military-grade information that needs protecting.
If medical and financial information were warehoused in a way that required a "man in the middle" to approve a request, it might not prevent spear-fishing, and it might not prevent theft of "in use" data, but it would at least prevent wholesale data breaches from information warehouses.
With a man-in-the-middle, you'd need to bribe or blackmail the man in the middle to allow a larger number of access requests to get through.
For some systems, a man in the middle is overkill, alarms that trigger when there are more than a typical number of data requests is sufficient. However, automated alarms, like any automated system, can theoretically be compromised.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The folks at Berkeley need to put up some "this room is a break-in free zone" signs so there are no more break-ins.
Just because they're on the internet doesn't mean they're white.
Give me Classic Slashdot or give me death!
Smart money says that over the next five years, a whole lot of these people will be mysteriously refused insurance coverage, or be denied payment for "pre-existing conditions" that were never reported to their insurers...
When will there be a law that will either 1.) Fine a company for every social security number that is published/hacked/stolen (to the point that they either spend the money on security OR they STOP storing social security numbers/cc numbers), or 2.) make it illegal to store a social security number/credit card number? Lets say you are a university trying to give a student loan to a prospect. Sure, you need to run a credit inquiry and identity verification, but after that you give them a student ID to replace their SSN. Stop storing this information unless you are able to prove beyond a shadow of a doubt that you are able to secure this information.
So? It's not like there's any expectation of privacy. If the govt isn't expected to respect anyone's privacy, then surely one can't expect it of criminals.
I wish that were funny.
If they're infiltrating with malicious intent, I don't think 'hacker' is the proper term here...
Yeesh, give it a rest. Evil computer infiltrator is the predominately accepted definition for Hacker these days. No one calling you a Geek today thinks you bite the heads off small animals. In fact, Geek's etymology stems back to an old English word for "Fool", whereas today it means a smart, unliked person (although it's starting to lose the "unliked" portion of its definition with the rise of the ubiquitous computer culture). I predict in 20-40 years, "Hacker" will be synonymous with "Con-man" as more "crackers" shift into social engineering either in person or via email/IM...
</feeding the troll>
If it's current, like allergies, summaries of chronic conditions that affect emergency and urgent health-care conditions, current prescription drugs you are taking, the names and pager numbers of your current doctors, and a current certification that you have current medical insurance that covers emergency and urgent care will probably be considered "current" and not "warehoused." These will be available 24/7, to both care-givers and to criminals who manage to compromise the system the data is stored in.
However, the details of your bout with the flu 2 years ago or your recovery from your car accident 10 years ago won't be available without human assistance. Neither will the details of your insurance coverage.
There is a balance that needs to be struck between "what could reasonably be so important it can't wait until normal business hours to access" and everything else. Only the former would be retrievable 24/7 without waiting for a person.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The most dangerous opening to a statement involving security is "All it takes..." I've had to manage an EMR system. I've had to deal with the security aspect. I also had to do it fresh out of college.
And if you think that having one target for all this information makes it more secure? I have to totally disagree. I've worked with plenty of folks who have ties or worked for the government. They're exactly who I'm talking about when I say "lack of training, or budget, or both." You could audit everything you want, but if you don't know what to look for, or you're not watching the audit logs, it doesn't matter what you've got in place. I've taken a look at logs of an intrusion, and I've seen at least one case where the success happened because the attacker was already armed with data. First attempt succeeded cause they had a valid username/password... Someone else's.
You can't foolproof a public facing system... You can't geniusproof it either. There will be a compromise, it's just a matter of how small you can make it.
My SSN was in the 160k :-/ Just spent the last 30mins signing on to Experian to put a fraud alert on my account. Anyone understand whether this is good or not? Should I do something else? Also, I see that a freeze will cost $10. Berkeley isn't shelling out for this. It sucks, this is not my fault, some idiots left some ports open and now it's my problem and I don't see much of a concerted response from Berkeley to drive the protection from their end, they do have a website and telephone hotline but I have to do all the running around... wonderful. SSN's suck...
Have we arrived at a point where the average person is better off having had their identity stolen? With so much identity theft having taken place and, perhaps, a great deal of stolen identities unreported, wouldn't one be better served having had their identity stolen. Being able to establish that one's identity has been stolen may be the most expeditious defense against actions brought resulting from stolen identity. There's security in numbers, unless of course those numbers are stored on a computer.
ideopath @ play
Are you serious? They're not trying to save a few bucks on the support staff -- that's what students are for. They have a large number of international employees because they hire researchers, lecturers, and professors from overseas to promote the exchange of ideas across cultures. Since that is, you know, the entire point of a university.
It is you that should be investigated for criminal dipshittery.