Slashdot Mirror
Medicaid Hack Update: 500,000 Records and 280,000 SSNs Stolen
An anonymous reader writes "Utah's Medicaid hack estimate has grown a second time. This time we have gone from over 180,000 Medicaid and Children's Health Insurance Plan (CHIP) recipients having their personal information stolen to a grand total of 780,000. More specifically, the state now says approximately 500,000 victims had sensitive personal information stolen and 280,000 victims had their Social Security numbers (SSNs) compromised."
Good thing these are only numbers which would require some sort of modern photo ID to actually use in a context where serious harm could be caused through fraudulent use.
Right?
Almost all US citizens over 65 are on Medicare, which is not the same as Medicaid. Some elderly are on both Medicare and Medicaid, but most are not.
Yeah, but that's Luxembourg. Arrest like 5 people and you've arrested almost a quarter of the population. A lot harder to do that in the US.
You seem to be doing a good job, though...
Illegal aliens for one. Allows them to get a job.
it would be somewhat amusing if this helped the credit score for some of these people...though it would suck if it disqualifies them for medicaid
government agent: well it appears you are working 11 jobs in 3 states making a total of $123k per year. i am sorry but you don't fall under the minimum wage requirements to remain on medicaid...however we can offer you a heck of a deal on a new mortgage!
who is going to want SSN's of a bunch of poor people on Medicaid?
If you can fog a mirror you can get a car loan. A car can be driven across the border, to a chop shop, etc. If you're poor the interest rate will be 15% but if you stole the info and intend to never make a payment, no one cares. My mom had zero income, and someone with her info bought a pickup truck in Texas and disappeared into Mexico. She had no problem removing it from her credit history as it was beyond ridiculous, but if she were not so lucky, then it could have been a problem.
You don't need any money for an illegal to use your information to hold a job (IRS etc) or get free medical care. Actually a poor person has much better medical coverage than I do... so their info is more valuable than mine. The IRS thing with stolen SS numbers is no problem unless the illegal claims 15 exemptions and pays no tax.. then you have to pay their tax for them, or prove you're not working both as a sysadmin and a restaurant dishwasher simultaneously.
You don't need any money or credit record to visit a "check cashing place / payday loan joint" with a fake check, walk out with cash, and leave the victim to figure it all out.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
I always wonder about these stories. They are obviously so ate up with their infrastructure that they don't know how to properly configure, maintain, and secure it. So how, then, do they detect the breach, which is usually far more difficult than protecting the stuff in the first place.
Why is it happening, the information is supposed to be properly secured, and the company is supposed to follow ISO standards, no?
Unless they outsourced to a company [...] I am without any ideas how this could happen.
Oh I envy your naivety.. I work for an ISO9001 company and it is terrifyingly insecure.
ISO9001 compliance has nothing to do with security, and frankly ISO9001 compliance doesn't even have very much to do with ISO9001 certification..
// MD_Update(&m,buf,j);
How could this happen?
The people in charge don't give a shit.
Next silly question.
So how, then, do they detect the breach, which is usually far more difficult than protecting the stuff in the first place.
This is the right question.
It so often sounds like these organizations lack high-end intrusion detection systems. It's usually a case of someone stumbling across the "open door " and sounding the alarm. Organizations that lack good IPS are unlikely to have good network auditing systems that record who accesses what and when for every file or network recorders that record every packet on the network. In fairness, that stuff is expensive, complex to install, maintain and use, and introduces storage issues. So, it is not unreasonable for a network to lack this stuff, even a government network with sensitive data.
But, the announcements of precise numbers of compromised accounts and so forth are hard to believe. I think its more a case of; 'we think this Excel file was copied and it had 150,000 numbers in it'. Oh wait; 'this other Excel file might have been read and it has 250,000 numbers in it'.
These guys are guessing. They don't have a clue what went missing or when. But, the scary thing is that the truly skilled intruders get in siphon off everything and move on without anyone ever knowing. Some may even lurk for months/years without ever being discovered.
One would hope so, but as I learned the hard way, companies don't always check or pay attention to red flags. My identity was stolen. The thieves used my name, address, SSN, and DOB to open a credit card in my name. They got my mother's maiden name wrong. You know, that "security" question that's supposed to help prevent fraud? They got it completely wrong. (Red Flag #1) Then, they paid for rush delivery of the card and changed the address to another state entirely. (Red Flag #2) Then, they tried to get a $5,000 cash advance before the card was even activated. (Red Flag #3)
The only reason I found out about any of this was because the card company shipped the card out FIRST and THEN changed the address on their records. So the card wound up on my doorstep. Of course, once alerted to the fraud, the credit card company stonewalled me. (I was actually told "We can't tell you what the address is on the file they created under your name because if you go there and shoot them we're liable for damages.") They also stonewalled the police officers by not responding to calls. (They had a special "police call here" line which seemed to go straight to an unanswered voice mail system.)
The end result is that my ID thief got away and likely stole other people's identities and the credit card company (*cough* Capital One *cough*) is likely still approving sketchy applications.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
My advice for anyone who's identity was stolen:
Step 1: Report it to all 3 credit agencies (Experian, TransUnion, and Equifax) and put fraud alerts on your credit files.
Step 2: Get your free annual credit report from all 3 agencies (not just 1 agency) and go over it with a fine toothed comb. Make sure *EVERYTHING* on there is legit. Contact the agencies about any non-legit items to get them removed.
Step 3: Freeze your credit file.
About the latter, fraud alerts last for 90 days and are only a warning sign to be on the lookout for fraud. Companies can (and do) ignore them from time to time. They aren't a guarantee that your credit won't be misused again. Freezing your file, however, means that nobody can add items to your credit unless you thaw it first. Yes, it means you can't get a loan or open up a store credit card on a whim, but that's the trade-off for peace of mind knowing that the thieves could have all of your personal info and still won't be able to do anything with it credit-wise.
Of course, freezing isn't a cure-all. ID thieves could still use your identity if they are arrested for a crime and you could find yourself with a criminal record you didn't "earn." Still, it's a very handy tool to use.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Not everyone on Medicaid stays poor for the rest of their lives. Utah in particular has a lot of young married students with young children who qualify for CHIP while in college but later go on to lucrative careers.
until institutions are held accountable for this type of data breach it will continue to happen. If the fine was lets say $1 million paid to each compromised SSN, then 2 things would happen: 1. they would spend more money on qualified individuals to protect their data 2. this would not be reported as much as they would cover it up.