Slashdot Mirror
Medicaid Hack Update: 500,000 Records and 280,000 SSNs Stolen
An anonymous reader writes "Utah's Medicaid hack estimate has grown a second time. This time we have gone from over 180,000 Medicaid and Children's Health Insurance Plan (CHIP) recipients having their personal information stolen to a grand total of 780,000. More specifically, the state now says approximately 500,000 victims had sensitive personal information stolen and 280,000 victims had their Social Security numbers (SSNs) compromised."
Poor people are probably less likely to keep an eye on their credit reports so they're actually better targets. Stealing identities to get 100 fraudulent cards with a $1000 limit each is much more useful than a single card with a $100,000 limit... especially since the person whose identity allowed you to get the $100,000 card is more likely to catch it and know how to deal with it before it's too late.
Good thing these are only numbers which would require some sort of modern photo ID to actually use in a context where serious harm could be caused through fraudulent use.
Right?
Almost all US citizens over 65 are on Medicare, which is not the same as Medicaid. Some elderly are on both Medicare and Medicaid, but most are not.
do it like they do in Luxembourg: arrest anybody who talks about the breach. After a while there will be nobody left that knows about it. Case closed!
The UK government lost 25 MILLION records on one disc. 500k is nothing.
Seriously, how bad does it have to get before people figure this out?
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Using outsourcing and contractors / sub contractors not only adds overhead it also lets people play the pass the blame game that most of the time end's in on sub contractor getting changed (With all the cost that comes with it) with not fixing the real issues up front.
Now why should the techs take the blame for stuff out side of there control like having older softer that they don't have the funds or control to update. Don't have the power to make changes to the config with out having to go though levels contractors to get it done. Having to deal with NON tech mangers running the shop who do have control but they buy stuff on golf courses meeting with no in put from the tech people.
No, seniors are on Medicare, which is a completely different program.
Illegal aliens for one. Allows them to get a job.
it would be somewhat amusing if this helped the credit score for some of these people...though it would suck if it disqualifies them for medicaid
government agent: well it appears you are working 11 jobs in 3 states making a total of $123k per year. i am sorry but you don't fall under the minimum wage requirements to remain on medicaid...however we can offer you a heck of a deal on a new mortgage!
who is going to want SSN's of a bunch of poor people on Medicaid?
If you can fog a mirror you can get a car loan. A car can be driven across the border, to a chop shop, etc. If you're poor the interest rate will be 15% but if you stole the info and intend to never make a payment, no one cares. My mom had zero income, and someone with her info bought a pickup truck in Texas and disappeared into Mexico. She had no problem removing it from her credit history as it was beyond ridiculous, but if she were not so lucky, then it could have been a problem.
You don't need any money for an illegal to use your information to hold a job (IRS etc) or get free medical care. Actually a poor person has much better medical coverage than I do... so their info is more valuable than mine. The IRS thing with stolen SS numbers is no problem unless the illegal claims 15 exemptions and pays no tax.. then you have to pay their tax for them, or prove you're not working both as a sysadmin and a restaurant dishwasher simultaneously.
You don't need any money or credit record to visit a "check cashing place / payday loan joint" with a fake check, walk out with cash, and leave the victim to figure it all out.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
I always wonder about these stories. They are obviously so ate up with their infrastructure that they don't know how to properly configure, maintain, and secure it. So how, then, do they detect the breach, which is usually far more difficult than protecting the stuff in the first place.
Hey Stalker!
Why is it happening, the information is supposed to be properly secured, and the company is supposed to follow ISO standards, no?
Unless they outsourced to a company [...] I am without any ideas how this could happen.
Oh I envy your naivety.. I work for an ISO9001 company and it is terrifyingly insecure.
ISO9001 compliance has nothing to do with security, and frankly ISO9001 compliance doesn't even have very much to do with ISO9001 certification..
// MD_Update(&m,buf,j);
Don't they check the SSN against the listed name, Do, gender, etc...
Sure I would have something to put on a paper, but wouldn't it raise a red flag when the paper says it's a 23 year old Juan Gomez; and the SSN is for a 78 year old Martha Hicks on the other side of the country?
I once typo'd my SSN on a leasing agreement and the apt company asked me to redo it as the information did not match up.
How could this happen?
The people in charge don't give a shit.
Next silly question.
So how, then, do they detect the breach, which is usually far more difficult than protecting the stuff in the first place.
This is the right question.
It so often sounds like these organizations lack high-end intrusion detection systems. It's usually a case of someone stumbling across the "open door " and sounding the alarm. Organizations that lack good IPS are unlikely to have good network auditing systems that record who accesses what and when for every file or network recorders that record every packet on the network. In fairness, that stuff is expensive, complex to install, maintain and use, and introduces storage issues. So, it is not unreasonable for a network to lack this stuff, even a government network with sensitive data.
But, the announcements of precise numbers of compromised accounts and so forth are hard to believe. I think its more a case of; 'we think this Excel file was copied and it had 150,000 numbers in it'. Oh wait; 'this other Excel file might have been read and it has 250,000 numbers in it'.
These guys are guessing. They don't have a clue what went missing or when. But, the scary thing is that the truly skilled intruders get in siphon off everything and move on without anyone ever knowing. Some may even lurk for months/years without ever being discovered.
You mean Medicare, not Medicaid, which is for the very poor or terminally ill.
The big prize here would be any Children's SSN's. Those are valuable for identity fraud because children have clean credit histories, and it takes months-to-years for the parents to figure it out.
I suspect "Anonymous" may be at work here, they've attacked Utah government and police sites before. They seem to support free speech, unless it's free speech they don't like, then it should be destroyed. Ironically, not only did they attack the wrong police department (Salt Lake City, not West Valley City), but they took down the site that allows the public to talk to the police. But I guess as long as you destroy something and screw up people's lives, that's good news for them.
One would hope so, but as I learned the hard way, companies don't always check or pay attention to red flags. My identity was stolen. The thieves used my name, address, SSN, and DOB to open a credit card in my name. They got my mother's maiden name wrong. You know, that "security" question that's supposed to help prevent fraud? They got it completely wrong. (Red Flag #1) Then, they paid for rush delivery of the card and changed the address to another state entirely. (Red Flag #2) Then, they tried to get a $5,000 cash advance before the card was even activated. (Red Flag #3)
The only reason I found out about any of this was because the card company shipped the card out FIRST and THEN changed the address on their records. So the card wound up on my doorstep. Of course, once alerted to the fraud, the credit card company stonewalled me. (I was actually told "We can't tell you what the address is on the file they created under your name because if you go there and shoot them we're liable for damages.") They also stonewalled the police officers by not responding to calls. (They had a special "police call here" line which seemed to go straight to an unanswered voice mail system.)
The end result is that my ID thief got away and likely stole other people's identities and the credit card company (*cough* Capital One *cough*) is likely still approving sketchy applications.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
So is there no recourse in such a case?
If the CC company wont allow you or the police to pursue the matter.
I work for another major, similar non-profit organization in another site. I've been involved with IT and various areas of the organization's business-side functions; including Electronic Medical Record systems. I will just say that if you really believe these companies are secure, you're naive. These are non-profit corporations with the majority of the people being very untechnologically savvy. Even a decent IT department only has so much control over what is going on - most of the time, the security of the EMR systems has nothing to do with IT to begin with. Instead they simply host them and leave control of the EMR systems to other leaders in the organization as IT shouldn't be involved with medical record access to begin with.
Non-Profits have very high turnover rates and employ hundreds, if not thousands (depending on agency size) of part-time workers. These people range from 3-30 hours a week. You have employees in rural areas of the state who barely know what a computer is - but are required to log into various systems with multiple username/passwords. You have employees sharing username/passwords which is impossible for IT or Leadership to always be aware of. The means of information getting out is enormous and uncontrollable depending on how their EMR system is used. And you have to remember that in non-profit, you are dealing with 'comfortable' employees. These are not the cutting edge employees you will find in corporate America. That's not how this business works. So you can only imagine how insecure most of these agencies are.
I could really get into detail but I won't. Just letting you know that this stuff is easy to access if someone really wants to.
They seem to support free speech, unless it's free speech they don't like, then it should be destroyed.
You're giving them too much credit. Most of them do it for the lulz. Seriously.
He's getting rather old, but he's a good mouse.
My advice for anyone who's identity was stolen:
Step 1: Report it to all 3 credit agencies (Experian, TransUnion, and Equifax) and put fraud alerts on your credit files.
Step 2: Get your free annual credit report from all 3 agencies (not just 1 agency) and go over it with a fine toothed comb. Make sure *EVERYTHING* on there is legit. Contact the agencies about any non-legit items to get them removed.
Step 3: Freeze your credit file.
About the latter, fraud alerts last for 90 days and are only a warning sign to be on the lookout for fraud. Companies can (and do) ignore them from time to time. They aren't a guarantee that your credit won't be misused again. Freezing your file, however, means that nobody can add items to your credit unless you thaw it first. Yes, it means you can't get a loan or open up a store credit card on a whim, but that's the trade-off for peace of mind knowing that the thieves could have all of your personal info and still won't be able to do anything with it credit-wise.
Of course, freezing isn't a cure-all. ID thieves could still use your identity if they are arrested for a crime and you could find yourself with a criminal record you didn't "earn." Still, it's a very handy tool to use.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Exactly! What we need is a giant database that can be compromised by one overworked medical resident who has no real concept of data security.
I know of two cases where residents had a shared database of passwords to various medical systems at multiple hospitals stored on insecure public "document" sites. In one case, they all had a common password, and different groups of students/residents used it year after year (not even ever changing the username or password). When the IT people found out and blew a large gasket, the medical people honestly did not see what the problem was.
The end result is that my ID thief got away and likely stole other people's identities and the credit card company (*cough* Capital One *cough*) is likely still approving sketchy applications.
Coincidentally, I was on the phone for a good while with them yesterday and will be heading to the bank once they open today. Somebody grabbed those "balance transfer" (or whatever) checks that they send you out of my mailbox, wrote an enormous check out to "cash", put a signature on it that kind of looks like my name (if not my signature), and pulled out the cash before Capital One had a chance to tell the bank that the check was beyond my credit limit. Fun... Even the most basic heuristics should tell them that I don't make a habit out of borrowing $10k in cash against a credit card...
He's getting rather old, but he's a good mouse.
It all depends on how much you want to pursue the matter and how forceful your police department is. My police department kept insisting that investigating these cases was useless because chances are the thief was in a different jurisdiction. They would not update me for awhile and, when I got insistent, they would reveal there was no progress at all. They honestly didn't seem to care much because I didn't "lose" anything of much value. (We caught it in time so immediate monetary loss was zero.) They also were completely technologically clueless. When they mentioned they had the IP address of the person who submitted the application form, I had to show them how to tracert to find info on the IP and alerted them to the fact that the ISP could tell them who was signed on then given the IP and date/time. After the credit card company's delays and the police delays got to be too much, I just dropped it and concentrated on securing my credit against future attacks.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Not everyone on Medicaid stays poor for the rest of their lives. Utah in particular has a lot of young married students with young children who qualify for CHIP while in college but later go on to lucrative careers.
Sadly, companies like this seem to consider basic fraud checks to be a needless expense. They just approve any credit/transfers and if they make a mistake.... oops! Well, it's only your money/credit. They'll write off any losses they incur and move on. Not every company is like this, but enough big companies are to make real problems for people like us.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
until institutions are held accountable for this type of data breach it will continue to happen. If the fine was lets say $1 million paid to each compromised SSN, then 2 things would happen: 1. they would spend more money on qualified individuals to protect their data 2. this would not be reported as much as they would cover it up.
It's amazing how many social security checks go out to dead people
The reference to ISO compliance here isn't to the ISO9001 quality standard, but the ISO 27001 and ISO 27002 best practices standards for information security.
see: http://en.wikipedia.org/wiki/ISO/IEC_27001
---------
There is no try at jedinite.com
Ha! 15%, I wish. The cheapest rate I got for my first car loan was 20%, and they made it clear that they were doing me a favor while they were gouging me.
It is important to note where the primary concern of most of the commenters is: the stolen SSNs. We don't have effective health information exchange because politicians and their constituents are scared to death of their all-important "private health data" being stolen. When it actually happens, people stop and realize that no one could possibly have any use for Joe Average's health information, whereas your SSN/personal information can quickly compromise your financial livelihood. In order to get some use out of stolen health data, you'd have to sell it to some marketer (who would be outing themselves just by using it....) or you'd have to blackmail the person whose data you have (a felony/they probably don't have enough money to make it worth it/they are certain to be caught if they try to do this at any scale). To get some use out of stolen SSNs/personal information, you need to fill out a few online forms and start ordering. Of course, there are thousands (if not millions) of organizations storing SSN/Credit Card Numbers/Driver License or Passport Numbers/Addresses/etc... on tons of people. For some reason, we are OK with that risk, but up in arms when we talk about storing potentially life-saving health data. I fully expect many to agree with this post....and I fully expect the usual flame response when I post anywhere online that your health data is not sacred, no one who could feasibly use the stolen data can legally do so, and unless you are a high-priority target (celebrity, political figure, etc...) you really don't have any risk from having your health data stolen (although it should certainly still be secured unless you really want to make it public data).
It also allows criminals to fraudulently bill Medicaid for services, prescriptions, and equipment that were never delivered. See news stories like this and this.