Slashdot Mirror
SAIC Loses Data of 4.9 Million Patients
An anonymous reader writes "Government contractor SAIC just can't seem to get a break. Still fresh off of the Citytime scandal, they've now had a data breach in which backup tapes holding 4.9 million personal health records were stolen from an employee's car. To add insult to injury, evidently the tapes were not encrypted either: 'Tricare did not indicate whether SAIC encrypted the information on the stolen tapes, but Raley said, "It's very hard to encrypt a backup tape."'"
Hard to encrypt tape?!? Every LTO5 and most LTO4 drives support hardware AES encryption!
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Yeah, encrypting a backup tape might take another hour or two to configure... not at all reasonable overhead for 4.9 million patient records
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
It's very hard to encrypt a backup tape.
I think I speak for everyone when I say: Fuck you, no it's not. I don't have any problems encrypting my personal backups even though I have nothing more private to protect than porn. You people are supposed to be professionals. Telling people their data is safe because it would require "special hardware and software" to read the tapes is pathetic. Get your shit together, sir.
Did you just say ""It's very hard to encrypt a backup tape."? In public? Out loud? With a straight face?
Welcome to the Panopticon. Used to be a prison, now it's your home.
What's the probability that someone breaks into your car and steals computer tapes?
Maybe not as high as an employee selling the tapes and claiming that they were stolen.
You really shouldn't insult Geek Squad like that.
When we stored tapes at an offsite backup, they were picked up in a locked metal box by uniformed security guards who delivered them to their protected site. These days it has shifted to VPN. Never heard of just having tapes sitting in an employee's car. What was the offsite backup? A shoebox in his closet?
So is SAIC going to be fined for their illegal (if unintentional) disclosure of patient medical records?
Ha ha! Almost got ya there, didn't I? Of course I know the answer already!
"Ask not what your country can do for you." --John F. Kennedy
Seems to be that it was an ignorant attempt at sarcasm, as in "How do you encrypt plastic?" Clearly he's the kind of knuckle dragging moron that shouldn't be making statements regarding the topic at hand.
If a copy is found, it may be possible to determine when the copy was done and by whom. E.g., "Suzy's record was added on the 3rd and Bobby's was added on the 4th. This copy has Suzy's record but not Bobby's, so the copy must have been taken on the 3rd. Who did the backups on the 3rd?" By saying the tapes were stolen, it's much less suspicious if a copy is found.
rot256 is for arbitrary 8-bit binary data.
"rot256 - like rot13 but 19-20 times as much rot!"
- rejected slogan, rot256 working group
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Lol, this guy took the tapes out to his CAR, would you feel ok walking around with your companies database in your briefcase?
I wouldn't, I'd VPN in to grab it, not carry it, and I'd make sure I'm using a hardened windows to do it too. That kind of liability can really put a kink in somebody's day.
This fine gentleman though, not only removed the tapes, he put them in his car.
Now with that thought pattern do you REALLY expect him to know about encrypting tapes?
Some people just shouldn't be allowed to be around computers, but are because for reasons that are not fully revealed to me some people think they can work in IT without actually knowing much about computers. I'm just adding this post as an extra gtfo of IT to these people.
If my record was among those, I'd prolly be looking into a class action lawsuit rather than making this post.
SAIC's greatest FAILs:
Wow. The hits just keep coming...
The bitter lessons of a veteran coder: http://bitterprogrammer.blogspot.com
Backup processes are typically automated and do not use 7-zip, but instead use backup utilities that cost $$$ like NetBackup. Most enterprise grade backup software can utilize software encryption for the backups. Tape drives can do the same on the hardware side if you bought the feature. Besides offloading the encryption algorithm to the tape drive, it also opens the door for storage deduplication for the volumes holding the disk based backups (encryption would obfuscate the data in the blocks rendering dedupe useless). It seems like the guy who lost the tapes was not able to pay Iron Mountain to handle offsite rotation, so he foolishly did it himself.
For some organizations, it is a weighted risk. Which would be worse: some random car thief thinking he stole somebody's 8-track collection, or not being able to find/remember the right password to restore the data in a legit DR situation?
Although, even with my defending them above I have to ask... WTF was going on with tapes left alone in an employee's car? Most places use a data storage company to transfer and store tapes.
Also, Axway's Raley was either misquoted or she's an idiot. What is Tricare using that makes tape encryption so difficult? Usually the difference between encrypting and not is just a checking a box and entering a password. May slow down an already tedious process of backing up/restoring, but definitely isn't difficult to implement.
/*Insert boring sig here*/
Well if it's a strictly Government program HIPAA isn't its regulatory framework. They'd still have a requirement to protect Personally Identifiable Information under FISMA act of 2002 and OMB Memorandum 06-16 which came out after the VA lost their records. Among other things M06-16 requires you to encrypt senstivie data on mobile media and data in transit.
Depending on the environment, it is very easy to detect a copy operation. Due to the sensitive of the data we deal with, we have controls in place. Every time a drive is attached / detached from the server it is recorded. Internet connectivity is prohibited. ACLs on the servers prevent mounting remote file systems, and even if they could be mounted, the mount would be logged.
In my environment, it would be much easier to "lose" a backup tape than to simply copy the records. Of course, that is not entirely true either. The tapes need to be signed out of the data center. Given that, "theft" is pretty much the only viable alternative.
When was the last time we read a story, "Iron Mountain lost backup tapes uber confidential data."??
Every time that happens they kill all the witnesses. So no one ever knows...
All the world's a CPU, and all the men and women merely AI agents
I didn't see any mention of encryption in the PDF linked off of that quote either. Wonder where it came from?
Ah ha, it came from the second link rather than the PDF it appeared to be linked to. Come on guys, at least link silly quotes like that to the right article.
---- http://www.informationweek.com/news/healthcare/security-privacy/231700161
Tricare did not indicate whether SAIC encrypted the information on the stolen tapes, but Raley said, "It's very hard to encrypt a backup tape." Tricare did not respond to a request for comment on the HIPAA issues.
---
Brilliant :(
Since the first person to witness the crime would the thief, I'm actually OK with that....
I need a wheelchair van for my son. Help me get the word out. https://www.gofundme.com/wheelchair-van-for-jj