Slashdot Mirror
'Wall of Shame' Exposes 21M Medical Record Breaches
Lucas123 writes "Over the past three years, about 21 million patients have had their unencrypted medical records exposed in data security breaches that were big enough to require they be reported to the federal government. Each of the 477 breaches that were reported to the Office for Civil Rights (OCR) involved 500 or more patients, which the government posts on what the industry calls 'The Wall of Shame.' About 55,000 other breach reports involving fewer than 500 records where also reported to the OCR. Among the largest breaches reported was TRICARE Management Activity, the Department of Defense's health care program, which reported 4.9 million records lost when backup tapes went missing. Another five breaches involved 1 million or more records each. Yet, only two of the organizations involved in the breaches have been fined by the federal government."
Unless the various companies that lose the data are punished, nothing will change.
Be seeing you...
Now that the US government is taking over healthcare this problem will disappear!
I'm impressed. I wouldn't have guessed that insurance outfits had anybody familiar with the concept of 'shame' available to coin such a nickname...
On March 9, Blue Cross Blue Shield of Tennessee (BCBS) was fined the maximum $1.5 million for 57 unencrypted computer hard drives that were stolen from a leased storage facility in 2009. BCBS has since encrypted all of its hard drives, representing 885TB of data.
BCBS said it spent more than 5,000 man-hours on the encryption effort, which cost the company $6 million.
Say they used new HHD-s at $100 for a 1TB HDD -> HDD cost=$88,500. F*** it... let's be generous and say all the equipment amounts for $1M.
The rest should be labour-cost, isn't it? Which means $1000/h... Seems to be a good trade to be in.
Questions raise, answers kill. Raise questions to stay alive.
No, No, No - you have it all wrong.
Say $100K for the drives, another 50K for the 'Enterprise Level' software, another 100K for labor.
The other 5.5 million for upper level executive compensation.
Thinking this stuff through is hard.
Faster! Faster! Faster would be better!
And why do we care who has our medical information?
Because in the US, we've decided that the only people that get health care are those with jobs. So getting a job is deeply tied to one's state of health. Accidental leaking of your health care information could lead to losing your job, or failure to obtain one. Other laws try to tackle that, but nonetheless, we all have the fear that if our potential employer (especially) knew how much we might really cost, we wouldn't get that job. And the fact of the matter is that no employer wants to employ a sick person if they can help it.
We'd be better off decoupling health care from employment. One side effect would be that medical information wouldn't be so secret. This is rather important when you consider that that information should perhaps be shared among health care providers, patients with the same ailments, and especially, family (possibly distantly related but genetically susceptable, for instance).
1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
I think its entirely reasonable to envision a system built on GPG wherein one could could exchange data with ones doctor. Am I alone in this? Obviously 3rd parties wouldn't be interested in such a system, but who cares if this at the end of the day is about me, the patient.
I'd like to think that they use higher-grade drives than you buy at Fry's or where-ever. Would also assume RAID5 or better. Add in the fact they were probably plugged into a DMX or similar & $6M starts sounding reasonable.
Why they weren't encrypted from the start is the real question.
If you get medical care, unfortunately you have to be "in the system". There appears to be no option to just show up at a clinic with a broken arm or needing a wound cleaned and sewn up, or something, paying them on the spot and getting treated, all without them keeping records on you from then on out.
I wish I could do that, but it appears to not be an option. Their system WILL track you, which means you are subject to whatever data leaks they happen to have.
Umm... where's the news? This website has been around for YEARS. The breaches aren't anything new and anyone that is affected should've been alerted per HIPAA.
Why they weren't encrypted from the start is the real question.
HIPAA only recently grew teeth that makes non-compliance painful.
Small doctors offices are ripe for this. The software they use is a joke. Their security is horrendous. Easy to find sql passwords. Entire health claims stored in plain text. Claim files being sent via modem transmissions. Doctors that refuse to update their software or windows environment because they are cheap... List goes on.
I work with BCBS, they are idiots. It usually takes three people to give me three different wrong answers. It probably took 10 people per hard drive.
It usually takes three people to give me three different wrong answers.
That's grossly inefficient... in some of the places I worked, I only needed a single person (my manager) to get 3 different wrong answers.
Questions raise, answers kill. Raise questions to stay alive.
"Among the largest breaches reported was TRICARE Management Activity, the Department of Defense's health care program, which reported 4.9 million records lost when backup tapes went missing."
Submitter should have dug a little bit further. TRICARE was the agency where the records originated, but SAIC was the "business associate" that actually lost the records belonging to TRICARE.
I beat the system by having no significant medical records in the last 10 years :P One finger X-ray (no break, yay) and like 2 appointments for allergies. Good luck blackmailing me with that, lol. I just stay exceptionally healthy. Take that, hackers! lol.
If you read the article, you will see that the main problem is of proper handling of the backups, not the actual server application or database, or with other words, here the problem is the "meatware", not the "software"
I think this is all kind of backwards. Since moving to the US a decade or so ago from a country with universal healthcare* the biggest problem I've had is with getting my health records passed from one provider to the next when I change jobs / locations / insurers. I'd love it if someone hacked all my health records and put them on the web for everyone (including myself), since that'd actually mean my various providers could see what the last person produced. I really don't give a shit if my next door neighbor knows I have elevated cholesterol and am on anti-anxiety meds. Shit, if they knew that I was so stressed I was having panic attacks, maybe they'd stop firing up their fucking leaf blower at 8am sharp out of concern for my wellbeing. But I digress.
The reason Americans are so paranoid about 'other people' seeing their healthcare records is some of the 'other people' are for-profit health insurers and before 2010 (when key provisions of the Patient Protection and Affordable Care Act aka 'Obamacare' came into force) they could and did deny coverage to people with pre-existing conditions. It's not surprising that there's a bit of a social lag here - three generations of Americans have had to be scared about whether their for-profit healthcare provider could find a way to weasel out of actually paying for necessary healthcare, and it's going to take a while for people to realize they don't have to give a shit any more.
* Good luck guessing which country I moved from - every other first world country on earth has universal healthcare, as do many of those who can't easily claim 'first world' status.
Why aren't these public records anyway? After all in today's America what isn't? Shouldn't everything be transparent?
Because it's too a boring topic for the BHBs to deal with
To hell with fines. Felony-grade jail time in no less than medium-security, from top people on down, with the parole condition that upon release they never work with customer information or data again.
Nobody has to "hack" your medical record. HIPAA guarantees you a copy, so go ask for it.
If, instead, your beef is that the doctors treating you don't talk to each other, find some that do. Electronic health records make this trivially possible, and there are lots of Keysers out there practicing managed care.
Finally, do you really think that "for-profit insurers" are the only reason Americans expect their medical records to be confidential? I understand that you have Nothing To Hide, but "too much patient privacy" is the last thing wrong with healthcare in America.
DATABASE WOW WOW
Like everyone else, I store all my data on full harddrives.
The reality is that 885TB of data is probably spread across 50 PB (peanut butters?) of harddrives, each probably around 0.5 TB (turtle bones?). Not only does this bump up the cost of new HDs (which they probably didn't buy), but it substantially increases the number of times the IT folk had to click on the option to encrypt the drive.
I may be an intoxicated AC, but my math is better than yours.
The Cloud will fix this! See, if everything is in the cloud then everyone's records can be accessed without authorization at the same time, thus negating the need for the Wall of Shame! Or at least just have one name on the Wall. But then that's not much of a wall. Snippet of Shame? One-liner of Shame?
Someone at my work wife works at a dentists office, they got all new computers (about 5 and 2 laptops) , they didn't know what to do with the old ones, so someone brought them into work and gave them away to whoever wanted them. I asked if they had been whiped, he said I guess so. I plugged one in, booted a windows password reset cd, logged in and the computer was full of emails, word doccuments, pictures of paintents and the dental work they had done and a full quickbooks business file. The major personal info was stored on their server atleast and not accessable. I quickly told them not to give anyway any of them until I whiped the drives on the rst of the boxes.
Two words: redundant storage..
Ah, yes, and backups.
...the solution is implantable RFID chips because they're so secure.
You missed the requirement. They didn't encrypt the drives that were stolen. They encrypted all their hard drives, I assume that means thousands of desktops and laptops
Great point. I have had to get my records a few times and the charged a dollar a page. A few spine surgeries and the fact I had to go for all the after care ment my record was over $600. I was livid. I called my attorney and asked the to request my records so they could pay for it. $65 !!!!!! This is just one of many reasons why I am mad at the healthcare field. Oh and the makers of the hardware in my spine.....the paid off doctors to hide results and claim there were no issues. I will let you know how group tort comes out.
You missed the requirement. They didn't encrypt the drives that were stolen. They encrypted all their hard drives, I assume that means thousands of desktops and laptops
Aren't you missing that it's still $6M for 5000 man-hours?
* Trully, brah, 2nd/3rd-world gauranteed health coverage is way, way way, WAY better than this total shit-hole butt-rape in the face scab nightmare we call "America"! Fuck yeah, you should move the fuck out. Do yourself one better. Before your neighbors break into your home and replace your anxiety meds with sugar pills. Fucking Americans!!! *sob* I just wish I had all the gauranteed health care coverage available in so many 2nd/3rd world countries.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Before passage, the HIPPA bill was much debated. Privacy advocates wanted two big things, (a) opt-in rather than opt-out and (b) the right for patients to refuse permission for their health into to be used in ways they don't want while still receiving treatment. They privacy advocates lost.
The result is that now, when you visit the doctor you get a multi-page privacy disclosure. You are allowed to request changes in how your health info is treated. However, the provider has the right to refuse treatment if you request even the slightest deviation. That means that providers can write their software presuming that 100% of patients consent to the most invasive and insecure privacy practices.
It should be the right of every patient to forgo the advantages of digitally stored health records and to opt-out without being sent packing without treatment. One should even have the right to seek treatment anonymously and pay cash. Even that is forbidden by state and federal laws regarding record keeping by providers.
I'm afraid that the only way out for US citizens determined to protect their privacy is itself a felony. I speak of identity theft -- fraudulently using someone else's identity to get health care.
HIPPA was supposed to protect patient privacy. Instead, it merely adds to the mindless and wasteful bureaucracy of health care while institutionalizing privacy invasive practices, giving legal cover to abusers, and criminalizing individual tactics to protect themselves. In addition, HIPPA preempted many state laws that provided better privacy protections than HIPPA.
It's sad but true. It's like rolling the dice every time you have to call them on whether the person answer with be competent enough to give you any type of usable information.
Specialist please!
I live in California and over the past 10 years have had two different insurance providers for medical services (company X got bought by company Y, and they both offered insurance through different companies). I reviewed the linked article and found the following:
Delta Dental CA 11,646 12/22/2011 - 12/23/2011 Unauthorized Access/Disclosure Paper 2/3/2012
Sutter Medical Foundation CA 943,434 10/15/2011 Theft Desktop Computer 12/8/2011
Both of these are insurance companies I had (and for one, still have!) coverage through, during the time of the theft/breaches. So in this situation, do I just bend over and take it? (Pun intended, depending on what your symptoms are ;-) ) I guess what I'm trying to find out is whether or not I was one of the people whose information was disclosed, and if so, what I can do about it or if I'm entitled to anything.
Can someone shed some light on that topic? Nothing in the linked article explains this aspect of it, other than stating that HITECH is the reason for the public disclosure of the breaches, but not what the effects of those breaches are.
Been there myself, I was hired to help secure code in various programs (ftp, making it sftp instead, for one, & in others, scrambling folks' SS#'s for outputs, into a "serial # for said person" instead (yes, the company concerned (an insurer) was putting out SSN#'s onto folks' cards for care they received @ institutions like hospitals, private doctors, clinics, you-name-it). Like YOUR example? They also had CELEBRITY HEALTHCARE DATA TOO (not people to mess with - they have MONEY and attorneys, unlike many "normal folks").
In the course of doing so, I found their antivirus program (TREND) was NOT setup correctly and when I pointed this out, privately to both after a meeting, as well as what can be done to "security-harden" workstation & printer end points as well as servers?
Heh - They tried to say I was "hacking their network", lol, wtf!?!
* Man - I was stopping them from BEING HACKED, & my own workstation had viruses on it because of the incompetence of the CIO - who gave me someone else's machine without WIPING mine clean when I got it and having it setup fresh... it was infected/infested the DAY I GOT IT, which I caught!
(That CIO who was also head network engineer no less? He was one who had never done the job before as a pro, yet had that title (boggles the mind - he had a cert & that is about it, but no years to decades of hands on professional experience as a network admin/engineer/tech himself)).
They ended up getting FIRED too, when it was found out they used AVG's freeware in a CORPORATE ENVIRONS (cost them big bucks, and is illegal/a "no-no"...).
Yes - THAT is what you get, working for incompetents people!
I.E. -> They will fire you IF you show their incompetence even when YOU'RE TRYING TO HELP THEM and the company itself, which is what happened to myself, when I pointed out that weakness alone (and others, such as not securing 'endpoints' like workstations and printers, via industry best practices for that!)
To my points, they said it would "take too long & too many man hours to do"!
(Oh, really? A few .reg file merges via logon scripts &/or AD policies set @ group level would do it, in minutes... testing only would take a few minutes more over the course of days if users had hassles, you patch for THEM, specifically (like websites they need to reach for instance, or other things like files on the LAN/WAN)).
Accept it, most of us have "bosses" that do NOT know what the f they are talking about or doing in this field, and yet, they are our "superiors"... it's gotten better over time since I started out professionally in their field back circa 1994 onwards, but it's STILL out there.
QUESTION: How they are TRULY "superiors" & get their titles, especially without having done the job for years to decades successfully first, I will never understand. Especially NEGLIGENT practices like I noted above being done by they, as well as fuckup work for security on THEIR parts!
No man should lead other men until he's "walked a mile in their shoes", which not only lends him actual contributable experience, but also gains the respect of your subordinates.
E.G.-> A good #'age of "mgt. superiors" in this field, up to the CIO level, haven't ever done the jobs themselves, & merely hire those who DO know what they're doing, to get by!
(Just so they can 'take the credit' when things go well & put THAT on their resume, stuff like "I headed this project" ommitting the fact they NEVER DID A DAMN THING THSMSELVES HANDS ON TO GET IT DONE, & ARE MERELY TAKING CREDIT FOR THOSE THAT DO, like you see in trade rags in our field).
Get used to it, incompetents & a-holes abound, especially in mgt.., why? So they can "go under-budget" & pinch pennies (being penny-wise, but POUND foolish due to negligence lawsuits due to shoddy security practices), & fuck the company (and, thus, YOU TOO).
APK
P.S.=> As a pal of mine put it:
"Screw them - they'll get ca
About 5 years ago I was at a large Seattle medical facility where my wife was having a minor procedure. While in the waiting room I opened my laptop and found that the clinic's WiFi was open and unencrypted. I asked to see the office manager, showed her my MSFT badge (no longer there, BTW) and explained that anyone with a packet sniffer could capture patient data at will. Their reaction? Fear, as if I was somehow threatening them. No thanks, no request to suggest what to do about it. Pretty sure nothing was done ... maybe it was the Microsoft badge that frightened them :). You can bet your bottom dollar that small clinics across the country have similar issues today.
TFA (second page):
On March 9, Blue Cross Blue Shield of Tennessee (BCBS) was fined the maximum $1.5 million for 57 unencrypted computer hard drives that were stolen from a leased storage facility in 2009. BCBS has since encrypted all of its hard drives, representing 885TB of data. BCBS said it spent more than 5,000 man-hours on the encryption effort, which cost the company $6 million.
Say they used new HHD-s at $100 for a 1TB HDD -> HDD cost=$88,500. F*** it... let's be generous and say all the equipment amounts for $1M. The rest should be labour-cost, isn't it? Which means $1000/h... Seems to be a good trade to be in.
If only it was as easy as just buying new HDs and installing them in the systems. Sorry, but they are most likely dealing with multiple enterprise levels systems, some that have to be FDA approved, between multiple vendors. They have to make sure they can encrypt all the drives, that the vendors will still support the system in question, that the FDA is ok with it, fully tested, and that in all that there is no downtime. Like it or not, you're talking about multiple projects involving lots of people and probably a decent amount of upgrades. I bet there is some vendor paid money in there, but not much as $6m is nothing when paying GE to upgrade an already existing system because they won't support or sign off on either you doing your own work or the new configuration.
Otherwise, if you think you can take your laptop upgrading skills into healthcare levels, feel free to get a directorship in healthcare IT and show them all up by spending one sixth of what the other people are spending without having any major issues that would cause more problems than what you're trying to avoid.