Slashdot Mirror

← Back to Stories (view on slashdot.org)

Break-In Compromises 160k Medical Records At UC Berkeley

Posted by timothy on from the no-ivy-league-nudes-on-file-at-berkeley dept.

nandemoari writes "Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk. According to UC Berkeley, computer administrators determined on April 9, 2009 that electronic databases in University Health Services had been breached by overseas criminals. The breakins began in October 2008. Information contained on the breached databases included Social Security numbers, health insurance information, and non-treatment medical information such as records of immunization and names of treating physicians."

17 of 167 comments (clear)

  1. Duh.. by Anonymous Coward · · Score: 3, Insightful

    If it's connected to internet, it's just matter of time.

    1. Re:Duh.. by NoStarchPlox · · Score: 4, Funny

      UC Berkeley using a BSD? That's highly illogical!

    2. Re:Duh.. by cayenne8 · · Score: 4, Interesting
      This is a reason why they have to pretty much pull teeth from me, in order for me to give my SSN to any one or any entity that is not related directly to SSN monies and benefits.

      I don't give them to insurance people, I don't give them to Dr.'s or medical institutions, or even utilities (cable, phone). etc). I don't give it out to hardly anyone. Sometimes it is a fight, but, very seldom has it happened, that when I was going to walk away from the transaction, did they not cave and say "ok".

      The next battle, as I understand it, will be trying to sign up for an iPhone without giving an SSN. I've heard it can be done, but, sometimes take a number of tries before finding the salesperson/mrg that will do it.

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    3. Re:Duh.. by v1 · · Score: 4, Informative

      The next battle, as I understand it, will be trying to sign up for an iPhone without giving an SSN. I've heard it can be done, but, sometimes take a number of tries before finding the salesperson/mrg that will do it.

      It's got to do with a credit check. You need to surrender your SSN for the normal credit check, and they use the results to determine your deposit. Very few companies will do an alternate (less informative/reliable) check that does not require your ssn.

      Without the credit check, you can still get a phone, 100% of the time. You will just have to pay a very large deposit, the largest possible for people that have horrible credit. Anyone that tells you that your ssn is required to get an iPhone is out of touch with reality.

      This is true of any of the places that are not authorized by law to require your ssn. So same applies to the others that are often brought up, such as utilities, and pretty much always applies to calculation of a deposit or interest rate.

      --
      I work for the Department of Redundancy Department.
  2. Auditing Logs by DigiWood · · Score: 5, Insightful

    Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?

    --


    Nothing is impossible. It just hasn't been figured out yet.
    1. Re:Auditing Logs by Archangel+Michael · · Score: 4, Insightful

      Most "Systems Administrators" are people like me, who know enough to keep a wide variety of systems functioning, with little or no training, and are expected to spend a great deal of time and energy keeping the systems functioning ... all by themselves. The scope of responsibility of many of these "System Administrators" spans much further than auditing logs.

      I only WISH I had the time to audit logs, and make corrective actions. But our staff has 6000 PCs and three dozen (or more) servers that we have to keep running.

      Administration doesn't care about hackers until it is too late. They don't care about computers or keeping them running, until they are without. It is like all those people bitching and complaining when they don't have electricity for a day after a storm. They don't care what it takes to keep the juice flowing until it isn't.

      The old saying "don't fix it, if it ain't broke" runs many IT Depts.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  3. Brutal by lorenlal · · Score: 4, Insightful

    This is why a national requirement for EMR systems isn't a good idea right now. The staffers that have to take care of this (in light of recent events in Virginia) are getting hung out to dry either because they don't have the training, or the budget, or both to pull this of safely.

    This will always be an argument against EMR systems - How much harder is it to break into someone's office or a hospital and rip off *everyone's* data. Sure, you could break in, steal a few and then torch the building... But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves? And in the break in scenario, there's less stolen data. You're not walking out of a medial building with 160K charts... Or 8 Million in VA.

  4. This is a huge, everyday, constant problem. by silver007 · · Score: 5, Interesting

    Surf on over to datalossdb.org and sub to the RSS feed. Something like this happens everyday, multiple times per day. The bad part is most of the time it's not hackers, it's employees that dump SSN's, DOB's, etc into the garbage or post them to the net. It's horrific. At least when hacker does it, it was done deliberately by someone with half a brain. Most of the time, it's clueless employees scattering our personal information about the grounds like it's fertilizer.

  5. Old Story by Plekto · · Score: 4, Informative

    http://www.wired.com/threatlevel/2009/05/uc-berkeley-suffers-breach-of-student-health-data/

    The email informing students of the breach was sent on May 8th. It was all over the news last Friday.

  6. Sometimes you need an air gap by davidwr · · Score: 5, Insightful

    It's not just military-grade information that needs protecting.

    If medical and financial information were warehoused in a way that required a "man in the middle" to approve a request, it might not prevent spear-fishing, and it might not prevent theft of "in use" data, but it would at least prevent wholesale data breaches from information warehouses.

    With a man-in-the-middle, you'd need to bribe or blackmail the man in the middle to allow a larger number of access requests to get through.

    For some systems, a man in the middle is overkill, alarms that trigger when there are more than a typical number of data requests is sufficient. However, automated alarms, like any automated system, can theoretically be compromised.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  7. Break-in free zone signs by Kohath · · Score: 4, Funny

    The folks at Berkeley need to put up some "this room is a break-in free zone" signs so there are no more break-ins.

  8. Re:Hackers or Crackers? by Hatta · · Score: 3, Funny

    Just because they're on the internet doesn't mean they're white.

    --
    Give me Classic Slashdot or give me death!
  9. Who could benefit from this medical info? by Drakkenmensch · · Score: 4, Interesting

    Smart money says that over the next five years, a whole lot of these people will be mysteriously refused insurance coverage, or be denied payment for "pre-existing conditions" that were never reported to their insurers...

  10. When will it be illegal to store/lose this data? by odin84gk · · Score: 4, Interesting

    When will there be a law that will either 1.) Fine a company for every social security number that is published/hacked/stolen (to the point that they either spend the money on security OR they STOP storing social security numbers/cc numbers), or 2.) make it illegal to store a social security number/credit card number? Lets say you are a university trying to give a student loan to a prospect. Sure, you need to run a credit inquiry and identity verification, but after that you give them a student ID to replace their SSN. Stop storing this information unless you are able to prove beyond a shadow of a doubt that you are able to secure this information.

  11. privacy? what privacy? by bugi · · Score: 5, Funny

    So? It's not like there's any expectation of privacy. If the govt isn't expected to respect anyone's privacy, then surely one can't expect it of criminals.

    I wish that were funny.

  12. Re:Hackers or Crackers? by Culture20 · · Score: 4, Insightful

    If they're infiltrating with malicious intent, I don't think 'hacker' is the proper term here...

    Yeesh, give it a rest. Evil computer infiltrator is the predominately accepted definition for Hacker these days. No one calling you a Geek today thinks you bite the heads off small animals. In fact, Geek's etymology stems back to an old English word for "Fool", whereas today it means a smart, unliked person (although it's starting to lose the "unliked" portion of its definition with the rise of the ubiquitous computer culture). I predict in 20-40 years, "Hacker" will be synonymous with "Con-man" as more "crackers" shift into social engineering either in person or via email/IM...
    </feeding the troll>

  13. Re:how is this interesting ? by lorenlal · · Score: 4, Interesting

    The most dangerous opening to a statement involving security is "All it takes..." I've had to manage an EMR system. I've had to deal with the security aspect. I also had to do it fresh out of college.

    And if you think that having one target for all this information makes it more secure? I have to totally disagree. I've worked with plenty of folks who have ties or worked for the government. They're exactly who I'm talking about when I say "lack of training, or budget, or both." You could audit everything you want, but if you don't know what to look for, or you're not watching the audit logs, it doesn't matter what you've got in place. I've taken a look at logs of an intrusion, and I've seen at least one case where the success happened because the attacker was already armed with data. First attempt succeeded cause they had a valid username/password... Someone else's.

    You can't foolproof a public facing system... You can't geniusproof it either. There will be a compromise, it's just a matter of how small you can make it.