Slashdot Mirror
Medicaid Hacked: Over 181,000 Records and 25,000 SSNs Stolen
An anonymous reader writes "The Utah Department of Health has been hacked. 181,604 Medicaid and CHIP recipients have had their personal information stolen. 25,096 had their Social Security numbers (SSNs) compromised. The agency is cooperating with law enforcement in a criminal investigation. The hackers, who are believed to be located in Eastern Europe, breached the server in question on March 30, 2012."
Medicaid is for poor people. stealing their identity won't gain them access to much money. However the SS numbers might be useful for illegal alien ID cards.
Since when is "public safety" the root password to the Constitution?
Survey says..............
No one!
We have to stop pretending that the SSN is something only the owner knows. It cannot be an identifier and a password at the same time. It's because of our retarded system that SSNs are such a juicy theft target. Other countries have similar personal identification numbers and no rampant "identity theft" problems like we have here in the US.
Simply put, someone should not be able to pretend they are you just by knowing your SSN and name and date of birth. All should be public info and not security questions. Someone can't go in and get a loan just because they found my name in the phone book, it should be the same with the SSN. Leave it be an identifier and only an identifier. The cat's out of the bag with the secret part.
It's too hard. I give up! What's the answer?
There ought to be a security-related certification, along the lines of CMMI Level X, for websites that want to put sensitive information online. A group goes in and audits the network and the office, does penetration testing, and gives you a rating based on corporate practices, user knowledge and potential and actual weaknesses.
Before these sites feel like they can put up my social security number and health records behind passwords like admin/admin, or allow contractors to download entire social security databases and leave them on USB drives or laptops which can be/are stolen, they should first obtain some minimum level of security-related competence certification.
This brings up an interesting question as to whether the advantages of storing massive amounts of personal data on public facing servers (or any server at all, res cent reports have me convinced that if anybody including governments, foreign hackers, or anyone else that wants the data bad enough will be able to find a way to get it) creates large enough benefits to balance the damages caused by breaches like this.
Koalas. They're telepathic. Plus, they control the weather. -Margaret
Medicaid is for poor people.
TFA quotes:
25,096 appear had their Social Security numbers (SSNs) compromised
... many of them feel violated
“But we also hope they understand we are doing everything we can to protect them from further harm.”
Poor people... have their SSN compromised, feeling violated (bordering to "raped" in one meaning of the term) and asked for understanding with promises of "best effort" towards a better future.
However... are the East European hackers the primary cause of their situation?
Questions raise, answers kill. Raise questions to stay alive.
Okay, Slashdot seems to be getting worse and worse about distorting things in the titles of the topics. "Medicaid Hacked" is NOT what happened here. Not even close. And when the first line of the topic's body is "The Utah Department of Health has been hacked," then you can't even excuse the poster as having been a little confused; it's flagrant tabloid-like sensationalism. Cut it out, already.
For your security, this post has been encrypted with ROT-13, twice.
Because de-facto its not. So we shouldnt assume that its secret and never use it as means of authentication. About as secret as your zip code.
In other words, if a bank gives out a load based on SSN alone, let _them_ hold the bag on it.
How long do you think SSN theft will remain profitable after we do that?
Password: Admin
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
I wonder if at some point there will be a breach so bad that certain critical records will be moved to airgapped systems and never go back, just because of the horrible memory of that disaster.
"When information is power, privacy is freedom" - Jah-Wren Ryel
It's another government boondoggle.
FTFY by including the proper citation (and attribution).
Questions raise, answers kill. Raise questions to stay alive.
I agree! If a bank or company gives someone a loan based on a name, birthday, and SSN, then it is the bank's fault. Because they did not take steps to properly verify who they gave money to, it is the bank's fault. I was not involved in anyway. Any damage to my credit rating and the time I spent cleaning things up, the bank must reimburse me for.
I have been notified twice that my info was stolen from university servers, so they gave me one year free credit monitoring each time. The info is still valid after one year, dumbazzes. If someone gives out a loan based on my info, I will contact a lawyer and have them send a letter to that bank and demand that they cover all costs related to cleaning up after their error. No one should give out a loan without seeing the person face to face and take a photograph, and fingerprints when it exceeds $1000 or something. I am so sick of everyone being allowed to push it off to the innocent party.
You should not hack in to systems you don't have permission to access. It is illegal, for the same reason it is illegal to break in to a house you don't have permission to access. It doesn't matter if you are capable of doing it, you shouldn't do it. Thus if you do, expect to be held criminally accountable.
This idea of blame the victims don't blame the criminals that so many on Slashdot have is stupid. Fine, I'll be ok with that so long as you are ok with it applying to the real world. You are ok with me being legally allowed to break in to your house, so long as I am able.
Thing is, I'd be very able. Your physical security is shit, as is everyone's. Individuals never bother with good security. You'll have a regular lock that is vulnerable to bumping, ice picking, and so on. That aside a shotgun with door breaching rounds will take it off the hinges no problem since you have no reinforcement on them. Your walls are probably made of drywall, wood framing and stucco, so a Sawzall can easily take care of that.
You don't choose to spend the time money or effort to secure your house further... Nor should you have to. Yet you think that if people don't have perfect computer security, well someone should be allowed in.
Also this is funny because show me this perfect security. Kernel.org was hacked, gnu.org was hacked, GitHub was hacked, BIND was hacked, and so on. So it isn't like just being open source and all that makes you immune. It seems that security holes happen, and that is just life.
I wish the media will focus on how idiotic Heal Insurance companies are, especially in their IT usage.
I work for a hospital and previously I worked for a start-up that did cutting edge medical technology. And let me tell you the insurance companies IT is just pure insane and stupid.
The government pushed a new electronic Bill form called 5010 which is an upgrade of 4010. These billforms are sent via EDI (Kinda of a Star Deliminator with a Tilda line feed, a throw back to old punch card technology) the difference between 4010 and 5010 are for the most part minor, and these changes were due January 1st. We are now in April. Now most of the insurance companies are compliment but there are other who are not, their test environment and production are very different and the test will allow different rules then production. So when a Hospital goes live after testing and getting clean tests they get rejection after rejection because they are not sending the right rules to the insurance company.
Then they stick to the lie (The electronic format has the same data as the paper form) this is a Lie and absolute Lie! You call them on the lie and they will flat out deny you. Until you send the data and they reject you claims because there is data that isn't on the paper form, and some filds are on the paper from you Cannot fill in the electronic. Their checking system is insane. If they don't need that field you better not send it or your claim will get rejected.
Now lets go over the transmission to the insurance companies...
Method one. The old BBS. Yes thats right the old dial up BBS is still active. when writing scripts to automate connecting to the companies I see those old DOS base BBS's of the olden days, most of them have upgraded to allow ZMODEM transfer. Now the more modern one use Secure FTP. Secure FTP (not to be confused with sftp) as in you data channel is encrypted but not always your command channel. Or worse there are these VPN groups that many insurance companies get on where after you connect to the VPN then you normally FTP to the site... (where a rogue billing company can monitor the ports and see what goes on, because they happen to be in the VPN network)
Everyone worries about HIPAA violations from the Health Care organization. For the most part now health care organizations have fare more modern and secure systems then the Insurance companies do. And if there are going to be a hack it will be in the insurance companies.
Now you are going to say. This hack was with medicaid not a private insurance company. Well Medicare and Medicaid are operated by each state, and a lot of states in essence sold them off to an Insurance companies to do all the work. Because of the big numbers these companies often do it at a discount. However they will also cut corners to give more service to their higher paying premium customers. The reason why Medicaid and Medicare have the lowest percentage for administration costs, is because they are operated so lightly and push the work to the health care organization to do all the administration. Then they will pass the costs to their customers. And it make is that much more expensive because you have a bunch of smaller organization doing advanced administration who cannot do it as optimally as a larger company who can scale the administration costs.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
You could bring up many states farm out medicare and medicaid to private companies.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
These hacks and all hacks that steal information but no money, etc would be made pointless if the banking system and credit bureaus, had better validation requirements!!! But instead they want to defraud their customers and by selling credit and identity protection.
What part of America is Europe in?
Why, that's obvious! You know that Europeans speak French, don't you? Therefore it must be a parish somewhere in Louisiana. Failing that, it's sure in Canada.
Questions raise, answers kill. Raise questions to stay alive.
Isn't that the whole point of the noble savage myth?
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Banks don't need security once we get over this "blame the victim" mentality.
After all, I'm sure we all store thousands of social security numbers at home.
What exactly are they going to do with these? Identity theft? I'd be willing to bet that these people don't have good enough credit, assets, etc. to make it worthwhile.
You say they are compliant. However, if they're rejecting claims because you're including information that they don't use, they're not compliant with the standard. From the X096/X097/X098 4010 837 transaction set implementation guides:
1.3 Business Use and Definition
...
Trading partners agreements are not allowed to set data specifications that conflict with the HIPAA implementations. Payers are required by law to have the capability to send/receive all HIPAA transactions. For example, a payer who does not pay claims with certain home health information must still be able to electronically accept on their front end an 837 with all the home health data. The payer cannot up-front reject such a claim. However, that does not mean that the payer is required to bring that data into their adjudication system. The payer, acting in accordance with policy and contractual agreements, can ignore data within the 837 data set. In light of this, it is permissible for trading partners to specify a subset of an implementation guide as data they are able to process or act upon most efficiently. A provider who sends the payer in the example above, home health data, has just wasted their resources and the resources of the payer. Thus, it behooves trading partners to be clear about the specific data within the 837 (i.e., a subset of the HIPAA implementation guide data) they require or would prefer to have in order to efficiently adjudicate a claim. The subset implementation guide must not contain any loops, segments, elements or codes that are not included in the HIPAA implementation guide. In addition, the order of data must not be changed. Trading partners cannot up-front, reject a claim based on the standard HIPAA transaction.
I don't have the 5010 guides, but I'm sure you'll find the same or similar language
make imaginary.friends COUNT=100 VISIBLE=false
Follow-up: On the other hand, if you're sending data that is defined as unused in the HIPAA (as opposed to the payer's) Implementation Guide, then they are correct in rejecting it as your transaction isn't compliant.
make imaginary.friends COUNT=100 VISIBLE=false
http://yro.slashdot.org/story/12/04/08/1850249/innocent-or-not-the-nsa-is-watching-you
Could be related, considering they're in the same state. Maybe the attackers wanted to hit home and hit hard.
"Well Medicare and Medicaid are operated by each state, and a lot of states in essence sold them off to an Insurance companies to do all the work."
But private business always does things better than government agencies. The Republicans told me so!
To be fair, he said they are compliment.
Seven puppies were harmed during the making of this post.
Medicaid is for poor people.
TFA quotes:
25,096 appear had their Social Security numbers (SSNs) compromised
... many of them feel violated
“But we also hope they understand we are doing everything we can to protect them from further harm.”
Poor people... have their SSN compromised, feeling violated (bordering to "raped" in one meaning of the term) and asked for understanding with promises of "best effort" towards a better future. However... are the East European hackers the primary cause of their situation?
That's a rhetorical question and you know it. It would be better for you to answer it yourself.
Somebody raised the question in a non-rhetorical manner. A suggestion of my position in this matter. If you'd like, let's close this thread and continue the discussion on the other one.
Questions raise, answers kill. Raise questions to stay alive.
Actually, insurance companies want the uploads to fail. If they don't fail, then they actually have to pay money on a claim. They'd rather not do that, it goes against the bottom line.
Why anybody would wanna steal Medicaid ids is beyond me. To qualify for Medicaid you have to be poor. No way you'll be able to identity theft up a Gold Card with that info. If they weren't so broke they couldn't pay attention, they couldn't get Medicaid.
Understanding the scope of the problem is the first step on the path to true panic.
...there has been a run on illicit payday loans! Investigators believe there may be a link to the Medicaid breach.
What's the "Most religious state?" What's the most Republican state? What state can't host the Olympics without embarrassing the USA with their corruption? What state lost $2.5M to stupid Nigerian "You have been selected to win $100M dollars!" scams? What state bans effective sex-ed? Banning D&D in public schools... polygamy... and these people are too innocent to know that the religious right GOP crowd they want to join knows for sure that every Mormon will burn in Hell.
And after yet another epic f--kup, I have to listen to posts like this... on an article about how Utah can't keep track of their Medicare records, and this somehow is an opportunity to blame Obamacare? Give me a break.
Celebrate failure, and then learn from it - Nolan Bushnell
Why do I say Big Deal, medical records aren't safe in any kind of form or capacity. I've have 5 different entire sets of medical results lost, misplaced and never found. I've had medical records lost in shipment from one doctor to another. So whats the big deal? The medical industry doesn't give a rats ass to keeping your data safe, losing one medical result is bad enough, losing two is unacceptable and losing 5 is just beyond insane. If doctors, hospitals and front desk personal really cared what happened to your medical documents they would guard them with there life and they don't.
I would like to add that over the last 15 years NONE of the missing results have been found or even traces of the documents, London general even admitted they were sorry after the first time they lost the documents, they didn't give a shit after losing the second and Grand River Hospital in Kitchener Ontario has never once stood up and told me it's there fault for losing the other 3 documents. If you want a great insecure place to put documents and personal information then the medical association is the place for you!
Yeah its like when I worked for our road authority we had a B2B link to pass road service jobs to a contractor. To test the link we put test in every field and the contractor still dispatched the job and billed us. They want to get paid, duh.
http://michaelsmith.id.au
Yep pretty much. We went from them requiring all sorts of random crap and numbers that they were not LEGALLY ALLOWED TO, to them getting pissed if you send extra data... Great and all but their testing has been terrible. I have had so many clients that the testing is either overly sensitive, or lets anything through. Not to mention the fact that I can send the same data to two carriers and get two different results, even two separate rejections. Its all in the name of deny, deny, deny. The longer they don't pay the more money they keep on interest. Or better yet, they just won't pay ever.
The teens' info would be useful for identity theft in a few years. I presume the records would include SSN, DOB, mother's name, etc. And if they were to die in the intervening years, maybe you could create a whole new persona (I don't know if Social Security is checked when issuing new docs, to see if people have died).
I had this friend once, the real tinfoil hat kind of friend/acquaintance who:
- refused to use the internet
- lined his house in chicken wire/lead drywall
-I stopped talking to when he called me the enemy for working for a wireless internet company
He spoke of a day when we would all have the choice to take a national ID with a smart card and register our finger prints or be denied all government services.
errr..
120 characters ought to be enough for anyone
It wasn't hackers from another country. It was just a test run of the new NSA Utah Data Center. The Utah Department of Health just happened to be the nearest available guinea pig from which to steal sensitive personal data on thousands of Americans. It did what it was supposed to do.
I know it sounds crazy, but remember: You can't spell insane without the NSA.
Why anybody would wanna steal Medicaid ids is beyond me. To qualify for Medicaid you have to be poor.
Because most of those people are old, living on fixed incomes, and are perfect targets for running a wide variety of scams. Just because their income is low does not mean they don't have other financial resources, for example savings accounts and many own their own homes. Many of them are also drawing social security, and with access to all their information payments could potentially be diverted, etc.
Because poor people don't check for identity theft as diligently. And there are many easy ways to temporarily build credit up and take advantage of said poor people's credit. I mean stealing Bill gates ssn is next to worthless, but stealing john doe can net you hundreds of thousands if it;s used right.
You're thinking Medicare not Medicaid Medicare is the old people's medical insurance you pay on your entire working career, and now that it went private, they take 'your' premiums directly out of your Social Security check to give to your 'Medicare provider' along with the money the government gives them. By looting your Social Security check, the government doesn't need to kick in as much.
Medicaid is the medical insurance provided by the various states for people on Welfare and such. Two totally different things.
Understanding the scope of the problem is the first step on the path to true panic.
Those Hackers should now have a lot of information about me. I was deported into homelessness in 2008 when two other ladies decided I wasn't responsive. Amid threats of Hospitalization, I signed back onto Medicaid. Haven't been off of it since. If you wonder what the State Insane Asylum is like, it is essentially a prison where you can't see the stars ever, and the most important thing is a policy against yelling. Papers and personal items are routinely stolen from their admits. I now live in a nursing facility because of the option I was given: face a diagnosis which was not invasive, or put the diagnosis back into limbo because of perscriptions, with an escape to potential freedom. I chose the former. Now there is no one watching me. No one cares. At the Asylum there was constant visibility, roomate pairs, and mind control. Showing affection was impossible. And it is done to them for no crime. Bottom line I support the Hack. I still have my own bank account. There was information accessed which should be troubling to the public (information about shot brutality) which I don't really have access to myself unless I could afford to correspond with the entity via FOIA. If there was interest, there should be investigative reporting. Utah separated the department of Health from a new department of Drug Addiction and Safety(sp?) in the news last year. So the Department of Health isn't housing a bunch of druggies one should suspect. There is a girl there, Allison, who has been there for years and no one would ever know her name. She's just a young girl absorbed in scientology. It really feels unfair to me to lock them away from the stars.
A stopped clock is right twice a day.
What state lost $2.5M to stupid Nigerian "You have been selected to win $100M dollars!" scams?
Nooo! No way. You are kidding me. That cannot be serious.
The hackers, who seem to have bounced their final hop off location(s) in Eastern Europe...
FTFY
Mini virtual server. Seriously, this will sound like a weird idea, but rather than having a webserver that connects to a DB which requires secured code, how about an instance level virtual server? Basically, when you log-in, you create a virtual server, with your personal information. Nothing else. For this to work, it requires the ability to spin up quickly virtual servers, OR an 'instances' of a DB with its copy of data, but only with the data tied to that login or key.
Also, it is long past time to push IPv6. With it, comes decent security. Give a key. Yes, we can do a key tied to the web server, but, this is the ability to tie it to the network.
I prefer the "u" in honour as it seems to be missing these days.
secure your servers.
We know already.
Sadly the world is full of idiot professional manager types who can't tell a prototype from a finished version. These are the people who need to know the risks they create by their idiot behavior.
... many of them feel violated
Welcome to the TSA plus Obamacare? Bringing the air traffic experience to medicine.
Sorry mate, not here. For Obamacare there's a special thread, with the special note that the thread is modded Offtopic.
Questions raise, answers kill. Raise questions to stay alive.
Mate, you forgot to post a whinge about insta-downmodding... how can you get that sloppy lately?
Questions raise, answers kill. Raise questions to stay alive.
Is it wrong that my first thought-- after "Oh good, it's not HERE." --was to wonder why the hell someone would hack the medicaid records for Utah? I mean, really. Utah?
Friend: "The NIC is misconfigured..." Me: "No prob, I'll just telnet in and fix it." *Silence*
There is no "+1 Facts". Unless facts are interesting, insightful or otherwise bring something positive to the discussion, they don't deserve a modding up. And if they are written solely to enrage others or illicit a response, they deserve "-1 Flamebait" or "-1 Troll".
What I want now is a heuristic filter that will downmod any post that appears to be a list of posts, links, or quotes with bolding. That would increase the signal to noise level here, because quite frankly, these irrelevant lists are NOISE.
Welcome to the TSA plus Obamacare? Bringing the air traffic experience to medicine.
Obamacare, Romneycare, what's the difference?
"The two laws are, in the words of Jonathan Gruber, who helped design both the Romney and Obama plans, “the same fucking bill.”
Now go fuck off and spread your uninformed opinion somewhere more appropriate, the sewer for example.
We need this to be universal !
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
It may not give access to much in the way of immediate cash funds. But like any random SSN they can be used in other frauds. Maybe on a one for one basis they aren't as valuable to a criminal as say my SSN would be, but they got away with more than 25 thousand of them. So even if they only get a few hundred bucks each worth of fraudulant activity out of each it'll add up. So now those 25 thousand people who were probably already having a rough time of it have the added excitement of probably being the victims of ID theft in the near future. And it's not like you can just go get a new SSN, so once it's out there it'll be a spectre for the rest of your life.
They're on Medicaid - they get their money from people who actually work for it. Most probably have awful credit as well.
he wasn't rated "off topic" for it, but I was... please, give us a break: Keep making this site & it's bogus moderation system look worse than it is... you only make my case for me doing that!)
Wish granted, here's the one for you: Guys, you are allowed to take a break!
Offtopic, I know, but I must admit that the whinge was exquisite, mate (hear this one: LMAO... and this: you only make my case for me doing that!) Brilliant, I tell you... absolutely brilliant, sincere thanks for it. In return, I'll tell you that life isn't supposed to be fair, but at most interesting enough to worth living - and you should see what's happening here as very interesting... nay, scratch that... intriguing at its most (be it only for the mystery of the /. modding).
Until next time, I'll remain yours...
Questions raise, answers kill. Raise questions to stay alive.
Well duh, my new crime-as-a-cloud service can now offer a feature that screens these people from your card lists, at only half the cost of the traditional merchant-account leasing service.
help me i've cloned myself and can't remember which one I am
I suppose so...
120 characters ought to be enough for anyone
Actually, you don't know what you're talking about. Insurance companies pay claims based on contracts with their members and providers. I've worked with scores of insurance companies and every single one is trying to adjudicate and pay claims as fast as they can. Ignoring the claims does not release them of their obligation to pay according to the contract. In other words, the claim WILL be paid if they have contractual responsibility. It's just a matter of if it will be paid with penalties, lost discounts, and unhappy customers or not.
The additional issue with this breach is the exposure of medical data. Thousands of claims transactions were lifted. Claims contain identifying information (demographics), medical diagnosis data, medical procedure data, etc. That information can be used for blackmail and discrimination purposes.
Actually, I worked in that 'industry' for 15 years. Yes, I do know what I'm talking about. Insurance companies only have to pay on claims that have been 'filed in a timely manner', the filing deadline is specified in the policy. Improperly filed claims are considered to be 'no claim' until they have been 'properly refiled', and if the filing deadline is passed before this happens, no payment is made on that claim. It's in the policy, which is considered to be a contract under the law.
Understanding the scope of the problem is the first step on the path to true panic.
Yes, you are correct. One of my best friends is a conservative Mormon, and being Unitarian, I'd be ashamed to belittle others for their faith, though stupid political beliefs are fair game. I don't believe Mormons are higher or lower on the Holy Ladder, but I read the Book of Mormon (my friend gave me a copy), and I read that the innocent people who had not read the book are still possibly going to Heaven, but now that I've read it and did not convert (I'm still Unitarian), I am in fact quite clearly banned from the presence of God, according to the book. However, our local Baptists here in NC will waste no time explaining why Jews and Mormons are damned, so we can all enjoy damnation together.
Celebrate failure, and then learn from it - Nolan Bushnell
Failed uploads do not constitute incorrectly filed or non-timely claims. The payers are not off the hook for them. This is especially true if the systems at fault are owned by the payer or its vendor. I have personally been involved with cases where delays due to technical issues delivering the claims caused payment penalties. If the provider's systems are at fault, that's a different story. In most cases, the claims are resubmitted by providers until paid, or their billing office intervenes and contacts the payer directly.