Slashdot Mirror
SAIC Loses Data of 4.9 Million Patients
An anonymous reader writes "Government contractor SAIC just can't seem to get a break. Still fresh off of the Citytime scandal, they've now had a data breach in which backup tapes holding 4.9 million personal health records were stolen from an employee's car. To add insult to injury, evidently the tapes were not encrypted either: 'Tricare did not indicate whether SAIC encrypted the information on the stolen tapes, but Raley said, "It's very hard to encrypt a backup tape."'"
There are people who let their data out of the data center in plaintext?
srsly?
Hard to encrypt tape?!? Every LTO5 and most LTO4 drives support hardware AES encryption!
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Seriously?
What kind of knuckle dragging moron can't figure out how to encrypt the data stream they're backing up?
And most of the big vendors and even many free software systems support key management. So no, it isn't very difficult. You just have to give a shit.
Deleted
Yeah, encrypting a backup tape might take another hour or two to configure... not at all reasonable overhead for 4.9 million patient records
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
What's the probability that someone breaks into your car and steals computer tapes?
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
It's very hard to encrypt a backup tape.
I think I speak for everyone when I say: Fuck you, no it's not. I don't have any problems encrypting my personal backups even though I have nothing more private to protect than porn. You people are supposed to be professionals. Telling people their data is safe because it would require "special hardware and software" to read the tapes is pathetic. Get your shit together, sir.
Did you just say ""It's very hard to encrypt a backup tape."? In public? Out loud? With a straight face?
Welcome to the Panopticon. Used to be a prison, now it's your home.
Now, I dont know anything about tape drives, but how can it be difficult to do the encryption?
Simplest process would be to just zip them up with 7-zip, split into archives the size of the tape and apply a password to it.
May not be the strongest security, but still better than nothing
Q. Will you be notifying beneficiaries?
A. After careful deliberation, we have decided that we will notify all affected
beneficiaries. We did not come to this decision lightly.
In other words : we didn't want to tell you but they made us.
No surprises here, as a former SAIC employee.
Get to know some of those career jokers and you will understand, they have a small number of very good people, but 95% of them are right up there with Geek Squad.
Losing records is bad, but it's not the worst thing in the world. At least they're not secretly abducting people and implanting their brains.
When we stored tapes at an offsite backup, they were picked up in a locked metal box by uniformed security guards who delivered them to their protected site. These days it has shifted to VPN. Never heard of just having tapes sitting in an employee's car. What was the offsite backup? A shoebox in his closet?
Sometimes the clumsiness of paper is an advantage.
That holds true for things like health records and ballots. I would also hope things like missile launch codes are written and verified on paper, so we're not one JE->JNE away from a huge oops.
Paper doesn't get lost en masse and it's harder to mine and manipulate on wholesale levels.
Until computer systems are more secure and privacy laws stronger, each by orders of magnitude, there will be a place for paper.
"It's very hard to encrypt a backup tape."'
Then encrypt the data, nimrod. These people actually get paid? Since when do they store HIPAA-related data and NOT encrypt it in the tables or wherever.
Exporting data to a nonencrypted anything is wrong. And backup tapes need not have raw data on them. Probably they shouldn't.
deleting the extra space after periods so i can stay relevant, yeah.
Who was responsible for transporting and losing unencrypted data with PHI in an unsecured environment? Should be jail time for the boss who approved this.
So is SAIC going to be fined for their illegal (if unintentional) disclosure of patient medical records?
Ha ha! Almost got ya there, didn't I? Of course I know the answer already!
"Ask not what your country can do for you." --John F. Kennedy
The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure.
I've worked with some weird systems before, but none so weird that I'd consider it that hard to get something off the tape. Even if the data structures are too strange to find everything, you might be able to link names with SSNs.
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
and a couple of questions.
For those who don't know, Tricare is the "health insurance" that pays for providing health care for members of the military and for those retired military members that pay premiums. However, I don't remember SAIC having any contractual role in administering the Tricare system. Perhaps they were contracted by DoD to perform some kind of historical data analysis, and authorized access on that basis... but the reports make Tricare out to be the party at fault, so that would imply that SAIC is formally part of the winning Tricare team, and not some kind of outside consultant. Maybe the SAIC employee was a contractor performing the duties of a government employee in the administration of Tricare. Pretty confusing.
Anyway, TFA says that 4.9 million people were affected, but also that the tape contained health records from facilities in the San Antonio, Texas region for a 19-year period. 4.9 million people seems like a really large number for the service catchment area of one city, even if it has several primary military care facilities and a large semi-transient military population. Maybe if they include the induction medical records of Air Force recruits at Basic Training at Lackland AFB, for instance.
Weird.
Welcome to the Panopticon. Used to be a prison, now it's your home.
people who do stuff like this must of not done alot of tech work or did not go to a tech school.
CS will teach you theory and may some hands on stuff but a tech school will tech you about the right way to do safe back ups and the basic of data safety.
have back up tapes employee's car why? there has to be a better way to have a off site back up plan? if you want a employee to take it to off site place pay them (Time + miles) to do at the end of the day of a fixed time with NO OTHER WORK LOAD AT the same time. Tell them if you need a rest stop take the tape with you.
Wow ohio fixed that a few years ago and there off site back up plan has let the intern take in home in his car.
http://it.slashdot.org/story/07/12/11/2144255/ohio-plans-to-encrypt-after-data-breach
Retrieving the data on the tapes requires knowledge of and access to specific
hardware and software and knowledge of the system and data structure.
sounds like manager speech.
when something like this happen a few years ago!
http://it.slashdot.org/story/07/12/11/2144255/ohio-plans-to-encrypt-after-data-breach
Surely you jest? Getting amanda to encrypt your backups. Is just a matter of reading some howto files on amanda's website. And, just peeking over at bacula's website, I can see that they have a similar sort of setup. I don't use bacula, but I'm sure it is a matter of following the directions just like with amanda. It is not clear how anyone can consider encrypting backup tapes as a difficult process. For that matter, with TrueCrypt, OpenSSL, GnuPG, FreeBSD's geli, and linux's dm-crypt encryption in general has become easy and accessible. Add to that the hardware acceleration built into most new systems or just pure computational power of modern processors and organizations are remiss for not using encryption at nearly every turn. If you don't, you should lose your job.
Someone seriously needs to go to jail for a long time.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Maybe juian assange stold them?
Maybe he used a piece of proprietary backup software that he had no source code for to do the backup, but it's hard to believe that he wasn't stealing the data.
rot256 is for arbitrary 8-bit binary data.
"rot256 - like rot13 but 19-20 times as much rot!"
- rejected slogan, rot256 working group
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Tapes are hard as hell to restore reliably anyway. And he left them in a car on top of that. They're probably toast already.
... they do now.
Thief to buddy: "Hey, you know that stuff we grabbed last month out of that car? I wonder if it's that thing on the news. Hey, does your cousin still know that computer guy? I bet he can help us find a buyer...."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
and rising by the hour
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Perhaps the tape used a proprietary compression algorithm that would take an adversary either a lot of luck or many weeks to figure out how to decompress it.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I have to ask why are they using tapes when backup drives are so cheap and easy to encrypt. Second why are you taking data offsite in this day and age. even if your data center is in bum fuck nowhere you can send copies of your data via encrypted VPN to an offsite location. I think what you have here is a case of management trying to run IT on as little as possible. They are all soon going to learn that it has cost them more than if the just upgraded.
--
Seriously, this is a major violation of HIPAA regulations (major as in "complete brain fart").
Talk DUP to the controller, Job done.
Geez!
Uh, Linux geek since 1999.
Someone beat the guy over the head with a clue-stick and stop the PR spin-wheel from being so absolute obvious. Just about EVERY enterprise level backup tape system supports built-in hardware encryption! You don't even need your software level stack to do it. The hardware itself encrypts the tape as it writes the data based on the firmware settings you configure on the device. It then automatically de-crypts it when it reads that tape later as it uses the same access keys/settings you gave it originally. So I call complete BS on "it's very hard to encrypt a backup tape" answer...
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
This is what you get with a CMMI Level 30 company.
From TFA:
Raley is "director of healthcare solutions at IT integration and security company Axway" and the quote "very hard to encrypt tape" is attributed to him, not SAIC.
SAIC has not said if the data was encrypted on the tapes or not.
If you use Axway as a vendor, you should fire them.
--
$tar -xvf
It is actions like this and projects like OneSAF that really make you question the value of being CMMI Level 30.
HIPPA/HITECH *mandates* that any backup tapes that are taken out of a secured environment are to be encrypted. No exceptions.
Someone's car is not a "secured environment".
Each individual's data that was lost could be a separate violation... corrected violation at $10K each or uncorrected violation at $50K each. It's pretty tough to "correct" when PII data is already lost. Max cap on violations is $1.5 million per year.
SAIC ought to get the book thrown at them. A high-end encrypting LTO4/LTO5 tape autoloader should be on the minimum equipment list for any enterprise data center that handles PII.
Long story short my current job blows very badly. I have been looking at job postings for computer security positions. In the last week I have been seeing lots of SAIC postings.
Please excuse short url below.
http://5z8.info/freeanimalporn.com-start-download_h2f2ci_mydick
Looks like they are hiring security people at a coincidental time. I wonder who got fired or if there was anyone to even get fired.
How many times will tapes be stolen from a car before these people wise up? http://www.computerworld.com/s/article/108101/Update_Thief_nabs_backup_data_on_365_000_patients?taxonomyId=084 About 365,000 hospice and home health care patients in Oregon and Washington are being notified about the theft of computer backup data disks and tapes late last month that included personal information and confidential medical records. In an announcement yesterday, Providence Home Services, a division of Seattle-based Providence Health Systems, said the records and other data were on several disks and tapes stolen from the car of a Providence employee at his home. **** http://tech.blorge.com/Structure:%20/2007/07/26/800000-stolen-social-security-numbers-a-22-year-old-scapegoat/ A 22-year-old intern said today he’s the “scapegoat” for the loss of over 800,000 social security numbers. A backup tape was stolen from his car last month containing at least 770,000 social security numbers (with the corresponding names) for Ohio taxpayers. It also contained the social security numbers for another 64,000 state employees. Today the intern issued a statement with his side of the story. **** http://www.healthcareitnews.com/news/patient-billing-records-stolen-utah-hospital Billing records for approximately 2.2 million patients and guarantors were reported stolen this week from the University of Utah Hospitals & Clinics. Backup tapes of patient billing records, which were contained in a metal box, were stolen from a car belonging to an independent storage company, Perpetual Storage, Inc., which is contracted by the healthcare system. The system sends the backup tapes off-site for storage for disaster recovery purposes.
the tapes were stolen from an SAIC employee's car during a burglary the night before.
What kind of idiot leaves tapes containing confidential data in a car, OVERNIGHT ? I wouldn't even leave a half-eaten sandwich in there overnight...
Gotta love government, contracting out to the biggest crooks and morons they can find.
-Billco, Fnarg.com
News flash: convenience trumps security and leads to data breach/leakage.
Our other top story: dog bites man; film at 11.
I had the misfortune of working with a consulting company who worked for a large oil and gas company doing water quality work. We were supposed to integrate with their EMIS application. First off it was only a month before the rollout that they contacted us to get some real life data. They had mindless inheirted off of air testing data and knew nothing about water testing. This is a marker of OOP newbies. They also didn't understand that the regulatory requirements changed with the seasons due to high flow/low flow in the stream channel and if the farmers and ranchers irrigating. On top of which land owners sometimes added items to the discharge permit to protect their water supply, over and above what the state or the Feds may have required. If they had asked us we would have warned them.
Eery discharge permit therefore was an individual. At the consulting company I worked at we worked hard to keep from having to modify our applications whenever we got a new permit in. They ended writing a specialized MS Access application to filter the incoming information and get into their data format to be loaded into their database. A DB whose schema left me under-whelmed. They had no clue about data management or modeling.
So in other words we blew their minds. I went to a couple of meetings and of course the primary development team was in India, far out of touch with their users. The people I met in the US reeked of low bid contractors. The PM team for our client who was in charge of the project was clueless and soon got the "deer in the headlights" look on their faces. The PM team had bought vaporware when other software companies had completed products ready to go.
So I had the amusement of watching a typical software train wreck from the sidelines. All they had to do was ask us and we could have told them the gory details.
putting the 'B' in LGBTQ+
If it's encrypted, it should be absolutely no problem physically transporting the backups off site yourself.
Which reduces it to a problem of securely transporting the key.
It was common. Likely before your time.
PHB's used to demand regular hard copies of detail that they would never read. Pulling them out of dumpsters was standard corporate espionage. I bet it still is.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Speaking as a former sysadmin at an Army hospital...
The tapes in question were probably these: http://en.wikipedia.org/wiki/Digital_Linear_Tape
Running backups on a cluster of these babies: http://en.wikipedia.org/wiki/DEC_AlphaServer#AlphaServer_SC
This is essentially a 30 year old platform. Back then, nobody ever imagined identity theft would be such a problem or guessed there would be legislation for HIPPA/PII like we have today.
4.3 Million patents gone! Sayonara you innovation starving sunsabitches!
Wait, what?
Aren't they a pretty sizable defense contractor? I can't attest for their current security but I had a relation that worked for them several years ago and at least at that time they had pretty top of the line security precautions. One time use tokens, dedicated computers for remote access, etc. Either they've become lax in their implementation or most of what I saw was for show.
Tape backups are trivial to encrypt - the tape just stores data after all and doesn't care if you encrypted it before the tape sees it. Or turn on the encryption option and hope the vendor didn't screw it up.
Now of course once you have encrypted backups the encryption keys become very important. Losing them at the same time as you lose data you need restored (because you lost the machine where you kept them for one simple retarded scenario) puts you in a world of hurt - so there's some costs/benefits to consider.
But it is technically trivial, so if you are using Axway for anything it's probably time to find a competent vendor.
Oh and what idiot decided to link a quote to the article that doesn't contain the quote?!?
Whoever think it is hard to encrypt backup tapes, should learn how to use google. The following link will give a few pointers, but my first suggestion is “Get a real operating system” http://www.google.com.au/search?q=man+tar&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-GB:official&client=firefox-a#sclient=psy-ab&hl=en&client=firefox-a&hs=PTX&rls=org.mozilla:en-GB%3Aofficial&source=hp&q=unix+encrypt+backup+to+tape&pbx=1&oq=unix+encrypt+backup+to+tape&aq=f&aqi=&aql=&gs_sm=e&gs_upl=32114l42412l0l42758l27l27l0l3l3l0l452l7019l0.1.13.8.2l27l0&bav=on.2,or.r_gc.r_pw.,cf.osb&fp=afa2de594e6bb2dc&biw=1920&bih=917
Actually you select the check box for "encrypt"...real hard. It simply takes more tape space.
Retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure
-Who wants to bet that all you need to pull the data out is something like: dd if=/dev/tape | strings, perhaps with conv=ascii given to dd... and maybe gunzip or bunzip2. Sigh. Specific hardware: tape drive and a scsi card. Software: any recent unix would do. Knowledge of data structure: they obviously Huffman-coded all their SQL dumps, right? Haha.
A successful API design takes a mixture of software design and pedagogy.
Retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure
-Who wants to bet that all you need to pull the data out is something like: dd if=/dev/tape | strings, perhaps with conv=ascii given to dd... and maybe gunzip or bunzip2. Sigh. Specific hardware: tape drive and a scsi card. Software: any recent unix would do. Knowledge of data structure: they obviously Huffman-coded all their SQL dumps, right? Haha.
I'd take that bet.
Its not Unix, its OpenVMS.
The software is written in MUMPS.
When code looks like this http://www.hardhats.org/history/chcs4.htm you certainly do need to have specific knowledge of the system and datastructure.
Again, assuming this is the old system that has been in place for 30+ years because with the new system all data is sent to DISA Alabama.
The fact that it's VMS is irrelevant I'd think. The fact that MUMPS is involved -- well, everything depends on whether they are taking some sort of a database snapshot, or a dump. If it's a dump, it'll be human readable. If it's a snapshot, I'd still expect it to use some sort of records with strings stored without further ado. Most uncompressed databases I've seen are readable once passed through strings, though data from each row is not necessarily contiguous. All in all, I don't doubt that anyone who cares enough to run the tape through the drive will be able to pull enough data to wreak potential havoc. Especially if they decide that obtaining credit in bulk would be a cool trick to pull off... It's not that complicated to quickly get a few millions worth of credit based on those records. Not with the retarded way credit is handed out in the U.S., anyway. All you need to get a credit card is often just to know someone's address, employer, and SSN, and perhaps an ID if you do it in a brick-and-mortar location.
A successful API design takes a mixture of software design and pedagogy.
And what the fuck were they doing in an employee's car, to begin with?
How many HIPAA violations does this incident constitute. At what point does SAIC lose their ability to do business with the US Government?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Or even read TFS?
"Tricare did not indicate whether SAIC encrypted the information on the stolen tapes, but Raley said, "It's very hard to encrypt a backup tape." Tricare did not respond to a request for comment on the HIPAA issues. "
How does one get from that to, "To add insult to injury, evidently the tapes were not encrypted either:"?
consultant / contracts / sub contracts seem like buck passing. But let the new guy, intern handle holding the off site back up?
Why not at least give them to a permanent or more long term worker or where they to smart to take responsibility for the back ups. But the intern will do just about any thing to try to get a perm job.
Now just having some keep the off site in there home and or car is a poor place to cheap out. Now if you want them to take it to a safe off site place have them do as part of the work day + pay for all miles / tolls parking costs. (not on the way home after the end of normal work day schedule) now it ok to have the worker take it to off site by having them leave the office before the end of the normal work day schedule.
Under HIPAA, lost or stolen media, with an approved, industry standard encryption algorithm, isn't required to be a reported. The fallout will probably go to DoD as the responsible party under HIPAA. SAIC may dodge the direct impact, but they won't make any friends. Given the announcement, encryption probably was never configured, because we "always did this way." There's no mention of the hardware, operating system or database, however, Google helpfully provides one probably configuration. Encryption can easily be done with hardware or the operating system. While you may need specific hardware or the appropriate VMs to read data in a native environment, dumping the raw bits is always an option.
There have incidents of backup couriers being targeted for theft in the medical and financial industries. Why hack a system when you can just read backups?
How else can corporations monetize (or transfer to unsavory "clients") personal information they collect on us without looking bad? Or in some cases breaking laws? Capitalism is not about ethics - yeah guess that is just stating the obvious, sorry my bad...
$subj. Can someone explain it?
Fined? Pfft! Shortly after this was announced, HHS awarded SAIC another large contract to provide and run computer systems which will contain ... more data covered by HIPPA.
No its not hard to encrypt them. But guaranteeing you can decrypt them (or even read them) in 10 or 20 years? Most companies I walk into can't even tell you what their current version of backup software is, let alone what they used in 2001.