Medicaid Hacked: Over 181,000 Records and 25,000 SSNs Stolen

An anonymous reader writes "The Utah Department of Health has been hacked. 181,604 Medicaid and CHIP recipients have had their personal information stolen. 25,096 had their Social Security numbers (SSNs) compromised. The agency is cooperating with law enforcement in a criminal investigation. The hackers, who are believed to be located in Eastern Europe, breached the server in question on March 30, 2012."

Too bad for the crooks that the people are poor.

[gmanterry]

Medicaid is for poor people. stealing their identity won't gain them access to much money. However the SS numbers might be useful for illegal alien ID cards.

And who will be held responsible?

[Eightbitgnosis]

Survey says..............

No one!

Re:And who will be held responsible?

[Kawahee]

The cynic in me says the hackers will be held responsible.

Re:And who will be held responsible?

[c0lo]

The cynic in me says the hackers will be held responsible.

Seconded.

FTFA adjusted with a link

Director Michael Hales said in a statement. “But we also hope they understand we are doing everything we can to protect them from further harm.”

We must stop pretending SSNs are secret!

We have to stop pretending that the SSN is something only the owner knows. It cannot be an identifier and a password at the same time. It's because of our retarded system that SSNs are such a juicy theft target. Other countries have similar personal identification numbers and no rampant "identity theft" problems like we have here in the US.

Simply put, someone should not be able to pretend they are you just by knowing your SSN and name and date of birth. All should be public info and not security questions. Someone can't go in and get a loan just because they found my name in the phone book, it should be the same with the SSN. Leave it be an identifier and only an identifier. The cat's out of the bag with the secret part.

Re:We must stop pretending SSNs are secret!

[kqs]

I have no idea what you mean by "owner".

The government assigns them. Each number is supposed to uniquely identify a citizen and is used mostly for SS (and a few other governmental uses). So far so good; the government assigns them and (apparently) uses them appropriately as a unique ID number.

Now we have dozens of private businesses using them as a password. Fine, I guess it's a free country. But somehow, if someone finds out my number and uses it to open a loan in my name, *I'm* liable for the loan. It's my phone that rings with creditors and my credit score which is damaged. It seems to me that the problem is these corporations which use these numbers as passwords but disclaim liability for fraud. Make it clear that financial institutions have the liability for bad loans they originate, that bad credit reports MUST be cleared unless the financial institution can prove they are true, and that there are very strict penalties for companies which abuse these rules, and the "identity theft" problem will vanish very quickly.

Re:Too bad for the crooks that the people are poor

[GmExtremacy]

It's too hard. I give up! What's the answer?

There ought to be a security certification

[Beeftopia]

There ought to be a security-related certification, along the lines of CMMI Level X, for websites that want to put sensitive information online. A group goes in and audits the network and the office, does penetration testing, and gives you a rating based on corporate practices, user knowledge and potential and actual weaknesses.

Before these sites feel like they can put up my social security number and health records behind passwords like admin/admin, or allow contractors to download entire social security databases and leave them on USB drives or laptops which can be/are stolen, they should first obtain some minimum level of security-related competence certification.

Effective technology

[bdabautcb]

This brings up an interesting question as to whether the advantages of storing massive amounts of personal data on public facing servers (or any server at all, res cent reports have me convinced that if anybody including governments, foreign hackers, or anyone else that wants the data bad enough will be able to find a way to get it) creates large enough benefits to balance the damages caused by breaches like this.

Re:Too bad for the crooks that the people are poor

[c0lo]

Medicaid is for poor people.

TFA quotes:

25,096 appear had their Social Security numbers (SSNs) compromised

... many of them feel violated

“But we also hope they understand we are doing everything we can to protect them from further harm.”

Poor people... have their SSN compromised, feeling violated (bordering to "raped" in one meaning of the term) and asked for understanding with promises of "best effort" towards a better future.
However... are the East European hackers the primary cause of their situation?

Headlines?

[Shoten]

Okay, Slashdot seems to be getting worse and worse about distorting things in the titles of the topics. "Medicaid Hacked" is NOT what happened here. Not even close. And when the first line of the topic's body is "The Utah Department of Health has been hacked," then you can't even excuse the poster as having been a little confused; it's flagrant tabloid-like sensationalism. Cut it out, already.

Re:Headlines?

[JSG]

Note the name of the submitter of the article and then ignore in future. You'll find /. much more fun then.

SSN should not need be secret

[zr]

Because de-facto its not. So we shouldnt assume that its secret and never use it as means of authentication. About as secret as your zip code.

In other words, if a bank gives out a load based on SSN alone, let _them_ hold the bag on it.

How long do you think SSN theft will remain profitable after we do that?

Re:SSN should not need be secret

[swalve]

But multiple factors increase the entropy greatly. If someone guesses my number and burns a card with it, or steals my card, they have to know my zip code to be able to use it. If they got my wallet, it's probably easy. (Not in my case, as my CC stuff is billed to a different zip code, but I digress.) But it adds a level of complication to the transaction.

Online records "hindenburg moment?"

[GameboyRMH]

I wonder if at some point there will be a breach so bad that certain critical records will be moved to airgapped systems and never go back, just because of the horrible memory of that disaster.

As they should be

[Sycraft-fu]

You should not hack in to systems you don't have permission to access. It is illegal, for the same reason it is illegal to break in to a house you don't have permission to access. It doesn't matter if you are capable of doing it, you shouldn't do it. Thus if you do, expect to be held criminally accountable.

This idea of blame the victims don't blame the criminals that so many on Slashdot have is stupid. Fine, I'll be ok with that so long as you are ok with it applying to the real world. You are ok with me being legally allowed to break in to your house, so long as I am able.

Thing is, I'd be very able. Your physical security is shit, as is everyone's. Individuals never bother with good security. You'll have a regular lock that is vulnerable to bumping, ice picking, and so on. That aside a shotgun with door breaching rounds will take it off the hinges no problem since you have no reinforcement on them. Your walls are probably made of drywall, wood framing and stucco, so a Sawzall can easily take care of that.

You don't choose to spend the time money or effort to secure your house further... Nor should you have to. Yet you think that if people don't have perfect computer security, well someone should be allowed in.

Also this is funny because show me this perfect security. Kernel.org was hacked, gnu.org was hacked, GitHub was hacked, BIND was hacked, and so on. So it isn't like just being open source and all that makes you immune. It seems that security holes happen, and that is just life.

Re:As they should be

[Kawahee]

I am not sure that it's illegal to "hack in to systems you don't have permission to access" in all parts of the world. For this reason, I think the onus falls to the implementer to make sure that any system they develop and make available on the public internet is secure.

Re:As they should be

"Your physical security is shit, as is everyone's. "

No one is arguing that hackers who hack into a system and subsequently either damage the system or leak confidential information from the system out onto the rest of the Internet (or communicate that information to people other than employees of the company to report it to them to fix it) shouldn't be held accountable. They absolutely should.

But there is a huge difference between a residential house (my computer with my info on it) and a bank (a service provider). When I go to a bank, I don't see them leaving unguarded money out in the open for anyone to easily grab. No, they have safes, they have bullet proof glass, they have cameras, they have security guards, they have security switches to alert cops of a robber, they have all sorts of security. Even liquor stores are careful with money, having those huge armored vehicles transporting money from place to place. We expect and require them to take measures to ensure your money is safe.

A service provider is like a bank of information, they should also hold some responsibility and accountability if they store your personal information in such a way that it can easily get hacked into.

and corporations are part of the problem as well. Historically, white hat hackers used to report security vulnerabilities to corporations long before leaking them on the Internet. A while back I remember someone reported a 2wire vulnerability to 2Wire and they did absolutely nothing about it for six whole months before the person who discovered the vulnerability communicated it over the Internet and 2wire finally fixed it with a firmware upgrade (due to public pressure). Many times when people communicate vulnerabilities to corporations privately they simply ignore them. Or they sue. So now people no longer put up with that and they simply leak the information onto the Internet. Which, in some ways, is even better than allowing this information to be kept secret and discovered by black hat hackers who will buy and sell it in the black market and use it nefariously against unsuspecting victims. because by the time a white hat hacker who doesn't profit as much from discovering the vulnerabilities discovers them, chances are black hat hackers who stand to profit (and are hence far more determined to discover these vulnerabilities) already have. Black hat hackers who know very well how to get away with what they do. So in some ways it's better that the vulnerabilities and potential victims be made aware of the vulnerabilities early so they can respond before something happens.

IIRC, Google will even pay a white hat hacker to privately report a vulnerability in its system so they can fix it. That's how security should work. We're not just criticizing that these corporations make mistakes and allow vulnerabilities to exist in their systems. We're also criticizing their response when a vulnerability is privately reported. That needs to change.

Re:As they should be

[arth1]

This idea of blame the victims don't blame the criminals that so many on Slashdot have is stupid.

I don't see this much. I see a lot of blaming the criminals and those who made it easy for the criminals.
That B is responsible too doesn't take any blame away from A. Just like if your handyman forgets to lock the door, it doesn't make the burglar any less responsible; it only adds blame to the handyman.

Remember, the victim here isn't the Utah Department of Health, it's the users of the services. The Utah Department of Health gets some blame too, not instead.
If any of the victims are to blame for anything, it's voting for a system that puts everything to the lowest bidder, making shit like this common occurrence and impossible to safeguard against.

Re:As they should be

[c0lo]

(and black hat hackers who are also likely considerably more experienced at finding these vulnerabilities than white hat hackers and so they are better at it).

Did they extend the black belt ranking to hats as well?

Re:if you can't beat them

[jellomizer]

I wish the media will focus on how idiotic Heal Insurance companies are, especially in their IT usage.
I work for a hospital and previously I worked for a start-up that did cutting edge medical technology. And let me tell you the insurance companies IT is just pure insane and stupid.

The government pushed a new electronic Bill form called 5010 which is an upgrade of 4010. These billforms are sent via EDI (Kinda of a Star Deliminator with a Tilda line feed, a throw back to old punch card technology) the difference between 4010 and 5010 are for the most part minor, and these changes were due January 1st. We are now in April. Now most of the insurance companies are compliment but there are other who are not, their test environment and production are very different and the test will allow different rules then production. So when a Hospital goes live after testing and getting clean tests they get rejection after rejection because they are not sending the right rules to the insurance company.
Then they stick to the lie (The electronic format has the same data as the paper form) this is a Lie and absolute Lie! You call them on the lie and they will flat out deny you. Until you send the data and they reject you claims because there is data that isn't on the paper form, and some filds are on the paper from you Cannot fill in the electronic. Their checking system is insane. If they don't need that field you better not send it or your claim will get rejected.

Now lets go over the transmission to the insurance companies...
Method one. The old BBS. Yes thats right the old dial up BBS is still active. when writing scripts to automate connecting to the companies I see those old DOS base BBS's of the olden days, most of them have upgraded to allow ZMODEM transfer. Now the more modern one use Secure FTP. Secure FTP (not to be confused with sftp) as in you data channel is encrypted but not always your command channel. Or worse there are these VPN groups that many insurance companies get on where after you connect to the VPN then you normally FTP to the site... (where a rogue billing company can monitor the ports and see what goes on, because they happen to be in the VPN network)

Everyone worries about HIPAA violations from the Health Care organization. For the most part now health care organizations have fare more modern and secure systems then the Insurance companies do. And if there are going to be a hack it will be in the insurance companies.

Now you are going to say. This hack was with medicaid not a private insurance company. Well Medicare and Medicaid are operated by each state, and a lot of states in essence sold them off to an Insurance companies to do all the work. Because of the big numbers these companies often do it at a discount. However they will also cut corners to give more service to their higher paying premium customers. The reason why Medicaid and Medicare have the lowest percentage for administration costs, is because they are operated so lightly and push the work to the health care organization to do all the administration. Then they will pass the costs to their customers. And it make is that much more expensive because you have a bunch of smaller organization doing advanced administration who cannot do it as optimally as a larger company who can scale the administration costs.

These hacks wouldn't matter...

[justcauseisjustthat]

These hacks and all hacks that steal information but no money, etc would be made pointless if the banking system and credit bureaus, had better validation requirements!!! But instead they want to defraud their customers and by selling credit and identity protection.

So?

[s0nicfreak]

What exactly are they going to do with these? Identity theft? I'd be willing to bet that these people don't have good enough credit, assets, etc. to make it worthwhile.

Re:if you can't beat them

[gstrickler]

You say they are compliant. However, if they're rejecting claims because you're including information that they don't use, they're not compliant with the standard. From the X096/X097/X098 4010 837 transaction set implementation guides:

1.3 Business Use and Definition
...
Trading partners agreements are not allowed to set data specifications that conflict with the HIPAA implementations. Payers are required by law to have the capability to send/receive all HIPAA transactions. For example, a payer who does not pay claims with certain home health information must still be able to electronically accept on their front end an 837 with all the home health data. The payer cannot up-front reject such a claim. However, that does not mean that the payer is required to bring that data into their adjudication system. The payer, acting in accordance with policy and contractual agreements, can ignore data within the 837 data set. In light of this, it is permissible for trading partners to specify a subset of an implementation guide as data they are able to process or act upon most efficiently. A provider who sends the payer in the example above, home health data, has just wasted their resources and the resources of the payer. Thus, it behooves trading partners to be clear about the specific data within the 837 (i.e., a subset of the HIPAA implementation guide data) they require or would prefer to have in order to efficiently adjudicate a claim. The subset implementation guide must not contain any loops, segments, elements or codes that are not included in the HIPAA implementation guide. In addition, the order of data must not be changed. Trading partners cannot up-front, reject a claim based on the standard HIPAA transaction.

I don't have the 5010 guides, but I'm sure you'll find the same or similar language

Re:if you can't beat them

"Well Medicare and Medicaid are operated by each state, and a lot of states in essence sold them off to an Insurance companies to do all the work."

But private business always does things better than government agencies. The Republicans told me so!

Re:if you can't beat them

[Dunbal]

To be fair, he said they are compliment.

Re:if you can't beat them

[jamstar7]

Actually, insurance companies want the uploads to fail. If they don't fail, then they actually have to pay money on a claim. They'd rather not do that, it goes against the bottom line.

Why anybody would wanna steal Medicaid ids is beyond me. To qualify for Medicaid you have to be poor. No way you'll be able to identity theft up a Gold Card with that info. If they weren't so broke they couldn't pay attention, they couldn't get Medicaid.

Re:One more reason against Obama-care

[WaywardGeek]

What's the "Most religious state?" What's the most Republican state? What state can't host the Olympics without embarrassing the USA with their corruption? What state lost $2.5M to stupid Nigerian "You have been selected to win $100M dollars!" scams? What state bans effective sex-ed? Banning D&D in public schools... polygamy... and these people are too innocent to know that the religious right GOP crowd they want to join knows for sure that every Mormon will burn in Hell.

And after yet another epic f--kup, I have to listen to posts like this... on an article about how Utah can't keep track of their Medicare records, and this somehow is an opportunity to blame Obamacare? Give me a break.

Re:if you can't beat them

[jamstar7]

Why anybody would wanna steal Medicaid ids is beyond me. To qualify for Medicaid you have to be poor.

Because most of those people are old, living on fixed incomes, and are perfect targets for running a wide variety of scams. Just because their income is low does not mean they don't have other financial resources, for example savings accounts and many own their own homes. Many of them are also drawing social security, and with access to all their information payments could potentially be diverted, etc.

You're thinking Medicare not Medicaid Medicare is the old people's medical insurance you pay on your entire working career, and now that it went private, they take 'your' premiums directly out of your Social Security check to give to your 'Medicare provider' along with the money the government gives them. By looting your Social Security check, the government doesn't need to kick in as much.

Medicaid is the medical insurance provided by the various states for people on Welfare and such. Two totally different things.

Re:if you can't beat them

[Larryish]

The hackers, who seem to have bounced their final hop off location(s) in Eastern Europe...

FTFY

Re:Too bad for the crooks that the people are poor

[Whorhay]

It may not give access to much in the way of immediate cash funds. But like any random SSN they can be used in other frauds. Maybe on a one for one basis they aren't as valuable to a criminal as say my SSN would be, but they got away with more than 25 thousand of them. So even if they only get a few hundred bucks each worth of fraudulant activity out of each it'll add up. So now those 25 thousand people who were probably already having a rough time of it have the added excitement of probably being the victims of ID theft in the near future. And it's not like you can just go get a new SSN, so once it's out there it'll be a spectre for the rest of your life.