Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Wall of Shame' Exposes 21M Medical Record Breaches

Posted by Soulskill on from the you-can-trust-us dept.

Lucas123 writes "Over the past three years, about 21 million patients have had their unencrypted medical records exposed in data security breaches that were big enough to require they be reported to the federal government. Each of the 477 breaches that were reported to the Office for Civil Rights (OCR) involved 500 or more patients, which the government posts on what the industry calls 'The Wall of Shame.' About 55,000 other breach reports involving fewer than 500 records where also reported to the OCR. Among the largest breaches reported was TRICARE Management Activity, the Department of Defense's health care program, which reported 4.9 million records lost when backup tapes went missing. Another five breaches involved 1 million or more records each. Yet, only two of the organizations involved in the breaches have been fined by the federal government."

32 of 112 comments (clear)

  1. Punish them. by Nyder · · Score: 4, Insightful

    Unless the various companies that lose the data are punished, nothing will change.

    --
    Be seeing you...
    1. Re:Punish them. by Anonymous Coward · · Score: 5, Informative

      With their wallets?

      Wasn't there an article recently on Slashdot about how the IRS is likely to pay $21 billion dollars over the next 5 years because of identity theft?

    2. Re:Punish them. by vux984 · · Score: 5, Insightful

      In this case, what you suggested amounts to "government should punish itself" - something not very common for the US govt, wouldn't you say?

      Nor terribly productive.

      At best, they increase their budget by the amount of the fines, and then raise taxes to cover the increased budget.

      At worst, they pay the fine without increasing their budget, and make cuts elsewhere... thereby ensuring that not only is there no money to improve the security that led to the first breach, but now they are probably running shorthanded increasing the odds of a second breach...

      Punishing governement and large corporations is generally meaningless. We have to pierce the veil and go after individuals within them... fine or even imprison them personally.

    3. Re:Punish them. by Anonymous Coward · · Score: 5, Informative

      Criminal charges against the CEO, CIO and CSO level. Or at least civil charges.

      I'm currently working on a project with a major regional medical HMO. What I've found in 3 months of digging makes me want to *never* have a friend or family go to any of their affiliates. There is zero recognition of privacy -- admins are routinely passing round medical records of celebrities. Their idea of 2 factor authentication was forcing someone to login with the same credentials twice in a row. What appears to be security (doctors, nurses using RFID badges to login and out) is theatre only -- only a single ID is associated with all RFID badges for logins. A complete farce.

      Why? Because even when caught there is no penalty. Make the penalty meaningful to the people running things, and you'll see cultural changes pretty damn fast.

    4. Re:Punish them. by superwiz · · Score: 2

      That is actually not accurate in this case. Imposing a universal surcharge on all providers would make them pass that fee to the customers. Imposing fees only on the guilty would make the providers who are innocent of such violations more competitive (they wouldn't have the added costs of the fees). So if you believe in markets, the effect of such charges would be to make compliant behavior more competitive in the market place.

      --
      Any guest worker system is indistinguishable from indentured servitude.
    5. Re:Punish them. by Eskarel · · Score: 4, Interesting

      Hospitals are complex places. Lots of staff, lots of data being transferred between systems some of which are insecure and there's nothing you can do about that, because they're required, and no competitors exist.

      The main reason that the number of breaches in hospitals is as low as it is is because for the most part people don't target hospitals so relatively basic security functions. Now of course we have people doing it "for the lulz" or to prove some sort of point which makes health care even harder to do.

      In a hospital environment you have to cater for doctors which no one other than the person running their accreditation even knows exist, nurses who view IT as a barrier between them and what they actually do, patients who want miracles, and health funds who seem to desire complexity for the sake of complexity. Connect all that up to IT products which haven't been updated since the mid 90's, never will be updated and can't be replaced because the group that would certify a competitor makes the product in question, add in vastly disparate WAN locations, a need for instant performance and 5 nines up time all on a shoestring budget and you'll start to get a picture of hospital IT.

      In the end you really have to ask yourself, is it better or worse to risk having a portion of your medical record stolen, or to die because the doctors couldn't get the information they needed quick enough. Sadly that's about how the choices line up, hospitals aren't generally negligent, it's just the nature of the game.

    6. Re:Punish them. by rgbrenner · · Score: 4, Insightful

      Punishing companies is punishing their customers

      Bullshit. I'm tired of this line.

      When a company is punished, it raises the cost for them to do business, resulting in price increases for customers.

      For some reason, you stop there. But it doesn't end there.

      The customers, who can chose where to spend their money, will go to the cheapest retailer... leaving the punished company with fewer customers, less market share, etc.

      Customers are not forced to buy from a company.. so fining 1 company is NOT punishing customers.

    7. Re:Punish them. by Thorodin · · Score: 2

      Yes, there is a penalty. It's called a fine by CMS for a HIPAA violation. Providers (doctors and hospitals) are being with with fines by CMS. This idea that companies are not being fined is not true. Jeez, just do a quick search on "hipaa+fine" and see what you get. Even /. had a story on it (http://yro.slashdot.org/story/11/02/25/2021232/first-ever-hipaa-fine-is-43m).

  2. Wait, what? by fuzzyfuzzyfungus · · Score: 3, Insightful

    I'm impressed. I wouldn't have guessed that insurance outfits had anybody familiar with the concept of 'shame' available to coin such a nickname...

  3. Where do I apply for the "HDD encryptor" position? by c0lo · · Score: 5, Interesting
    TFA (second page):

    On March 9, Blue Cross Blue Shield of Tennessee (BCBS) was fined the maximum $1.5 million for 57 unencrypted computer hard drives that were stolen from a leased storage facility in 2009. BCBS has since encrypted all of its hard drives, representing 885TB of data.
    BCBS said it spent more than 5,000 man-hours on the encryption effort, which cost the company $6 million.

    Say they used new HHD-s at $100 for a 1TB HDD -> HDD cost=$88,500. F*** it... let's be generous and say all the equipment amounts for $1M.
    The rest should be labour-cost, isn't it? Which means $1000/h... Seems to be a good trade to be in.

    --
    Questions raise, answers kill. Raise questions to stay alive.
  4. Re:Where do I apply for the "HDD encryptor" positi by ColdWetDog · · Score: 4, Funny

    No, No, No - you have it all wrong.

    Say $100K for the drives, another 50K for the 'Enterprise Level' software, another 100K for labor.

    The other 5.5 million for upper level executive compensation.

    Thinking this stuff through is hard.

    --
    Faster! Faster! Faster would be better!
  5. Our secret health by mcelrath · · Score: 5, Insightful

    And why do we care who has our medical information?

    Because in the US, we've decided that the only people that get health care are those with jobs. So getting a job is deeply tied to one's state of health. Accidental leaking of your health care information could lead to losing your job, or failure to obtain one. Other laws try to tackle that, but nonetheless, we all have the fear that if our potential employer (especially) knew how much we might really cost, we wouldn't get that job. And the fact of the matter is that no employer wants to employ a sick person if they can help it.

    We'd be better off decoupling health care from employment. One side effect would be that medical information wouldn't be so secret. This is rather important when you consider that that information should perhaps be shared among health care providers, patients with the same ailments, and especially, family (possibly distantly related but genetically susceptable, for instance).

    --
    1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
    1. Re:Our secret health by PNutts · · Score: 2, Insightful

      Because in the US, we've decided that the only people that get health care are those with jobs.

      We've decided no such thing.

    2. Re:Our secret health by brit74 · · Score: 5, Insightful

      And why do we care who has our medical information?

      I think people are concerned about the privacy implications. If you have a talk with your doctor about something personal, you'd like to believe that the entire world isn't listening in. What's that? You've got erectile disfunction? You've had mental health issues? You once tried to kill yourself? You went to the emergency room because you were high on drugs or you stuck an object where it shouldn't go? You've admitted to having lots of sex partners or you're gay and you haven't come out? You've got an STD and you'd prefer that your friends and family don't know about it?

      Not only are there some potentially embarrassing secrets, but the idea that everyone can find out about your medical history can make you less likely to go to the doctor -- because there might be situations where it might be embarrassing to tell a doctor what the situation is, and much more embarrassing if the whole world could find out about it.

    3. Re:Our secret health by SonnyDog09 · · Score: 2

      Because in the US, we've decided that the only people that get health care are those with jobs.

      First, you are wrong. Medicare and Medicaid provide healthcare to the poor and the elderly. We spent close to a trillion dollars on those entitlement programs in 2010. Second, some other countries with "socialized medicine" tie health insurance to employment. Third, the making of healthcare and health insurance into a "benefit" of employment dates back to WW2, when prices and wages were frozen. Benefits were not. So, to entice workers to come work at a munitions plant, an employer would add "healthcare" benefits. If you recall, FDR was President, and he was a Democrat. So, the tying of healthcare benefits to employment in the US is their fault :-)

      --
      Your "fair share" is NOT in my wallet.
  6. Re:Where do I apply for the "HDD encryptor" positi by linatux · · Score: 3, Interesting

    I'd like to think that they use higher-grade drives than you buy at Fry's or where-ever. Would also assume RAID5 or better. Add in the fact they were probably plugged into a DMX or similar & $6M starts sounding reasonable.

    Why they weren't encrypted from the start is the real question.

  7. Umm... where's the news? by besalope · · Score: 3, Interesting

    Umm... where's the news? This website has been around for YEARS. The breaches aren't anything new and anyone that is affected should've been alerted per HIPAA.

  8. Re:Where do I apply for the "HDD encryptor" positi by sergentzimm · · Score: 2

    I work with BCBS, they are idiots. It usually takes three people to give me three different wrong answers. It probably took 10 people per hard drive.

  9. Re:you have to be in the system by Adult+film+producer · · Score: 2

    Thats not exactly true. There are many private medical facilities that have rejected government funding (medicare/medicaid) and a few that have totally rejected electronic medical records with good reason.

    For example, The Surgery Center of Oklahoma only uses paper records (much more difficult for the government and third parties to "leak"). What's interesting about private medical facilities like this that reject medicare/medicaid is that they know the TRUE cost of performing an operation and post it on their website,

    http://surgerycenterok.com/pricing.php


    One of the doctors at that particular medical center has a blog that some might find worth reading,

    http://032a410.netsolhost.com/WordPress/?cat=6

  10. Re:Where do I apply for the "HDD encryptor" positi by c0lo · · Score: 4, Funny

    It usually takes three people to give me three different wrong answers.

    That's grossly inefficient... in some of the places I worked, I only needed a single person (my manager) to get 3 different wrong answers.

    --
    Questions raise, answers kill. Raise questions to stay alive.
  11. Re:You all have no idea by Anonymous Coward · · Score: 2, Insightful

    Assumption junction, what's your function? Hookin' up word and phrases and sound bites.

  12. Re:you have to be in the system by Adult+film+producer · · Score: 2

    The only database you're in is a paper file cabinet at that hospital. What are the chances those paper files are leaked onto the internet or stolen from someone's parked car? Nearly zero.

  13. Should have looked further by jforr · · Score: 5, Informative

    "Among the largest breaches reported was TRICARE Management Activity, the Department of Defense's health care program, which reported 4.9 million records lost when backup tapes went missing."

    Submitter should have dug a little bit further. TRICARE was the agency where the records originated, but SAIC was the "business associate" that actually lost the records belonging to TRICARE.

  14. I beat the system by slashmydots · · Score: 4, Funny

    I beat the system by having no significant medical records in the last 10 years :P One finger X-ray (no break, yay) and like 2 appointments for allergies. Good luck blackmailing me with that, lol. I just stay exceptionally healthy. Take that, hackers! lol.

    1. Re:I beat the system by TheRealMindChild · · Score: 5, Funny

      I go the other route. I have so much debt in medical bills that only a fool would try to steal my identity

      --

      "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
  15. But server was hacked.... by stanlyb · · Score: 5, Insightful

    If you read the article, you will see that the main problem is of proper handling of the backups, not the actual server application or database, or with other words, here the problem is the "meatware", not the "software"

  16. Putting health records on the web is a good thing by spasm · · Score: 2

    I think this is all kind of backwards. Since moving to the US a decade or so ago from a country with universal healthcare* the biggest problem I've had is with getting my health records passed from one provider to the next when I change jobs / locations / insurers. I'd love it if someone hacked all my health records and put them on the web for everyone (including myself), since that'd actually mean my various providers could see what the last person produced. I really don't give a shit if my next door neighbor knows I have elevated cholesterol and am on anti-anxiety meds. Shit, if they knew that I was so stressed I was having panic attacks, maybe they'd stop firing up their fucking leaf blower at 8am sharp out of concern for my wellbeing. But I digress.

    The reason Americans are so paranoid about 'other people' seeing their healthcare records is some of the 'other people' are for-profit health insurers and before 2010 (when key provisions of the Patient Protection and Affordable Care Act aka 'Obamacare' came into force) they could and did deny coverage to people with pre-existing conditions. It's not surprising that there's a bit of a social lag here - three generations of Americans have had to be scared about whether their for-profit healthcare provider could find a way to weasel out of actually paying for necessary healthcare, and it's going to take a while for people to realize they don't have to give a shit any more.

    * Good luck guessing which country I moved from - every other first world country on earth has universal healthcare, as do many of those who can't easily claim 'first world' status.

  17. appropriate measures by kermidge · · Score: 2, Insightful

    To hell with fines. Felony-grade jail time in no less than medium-security, from top people on down, with the parole condition that upon release they never work with customer information or data again.

    1. Re:appropriate measures by kermidge · · Score: 2

      @AC - probably not, but I've worked under various fiduciary and performance bonds where the consequences for screwing up carried the risk of jail time.

      Thorodin - ah, good, some discussion. I don't see that fines work: cost is passed to clients' insurance; the highers and stockholders are not affected in any meaningful way. Notice I said top down - not the bods and sods in IT (unless they'd been screwing the pooch.)

      How many stories and posts have we seen just in the last year or so where upper management assigns the vague task "make it secure" and then hamstrings everything/everyone trying to do that?

      No, I have but few clues as to just how complex the matter is. What does seem clear, though, is that "business as usual" is not working too well. Have you any ideas on what might could be done to make things better?

  18. Re:Putting health records on the web is a good thi by Z34107 · · Score: 3, Informative

    Nobody has to "hack" your medical record. HIPAA guarantees you a copy, so go ask for it.

    If, instead, your beef is that the doctors treating you don't talk to each other, find some that do. Electronic health records make this trivially possible, and there are lots of Keysers out there practicing managed care.

    Finally, do you really think that "for-profit insurers" are the only reason Americans expect their medical records to be confidential? I understand that you have Nothing To Hide, but "too much patient privacy" is the last thing wrong with healthcare in America.

    --
    DATABASE WOW WOW
  19. Re:happened yesterday by eyenot · · Score: 2

    And what does your play-wife have to say about all of that? Is she concerned for her medical privacy in general, or just when you're around? Also, who was this other person at your work-wife? HOW was this other person "at" your work-wife? Answers. I demand answers.

    --
    "Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
  20. Sold Out By HIPPA by anorlunda · · Score: 2

    Before passage, the HIPPA bill was much debated. Privacy advocates wanted two big things, (a) opt-in rather than opt-out and (b) the right for patients to refuse permission for their health into to be used in ways they don't want while still receiving treatment. They privacy advocates lost.

    The result is that now, when you visit the doctor you get a multi-page privacy disclosure. You are allowed to request changes in how your health info is treated. However, the provider has the right to refuse treatment if you request even the slightest deviation. That means that providers can write their software presuming that 100% of patients consent to the most invasive and insecure privacy practices.

    It should be the right of every patient to forgo the advantages of digitally stored health records and to opt-out without being sent packing without treatment. One should even have the right to seek treatment anonymously and pay cash. Even that is forbidden by state and federal laws regarding record keeping by providers.

    I'm afraid that the only way out for US citizens determined to protect their privacy is itself a felony. I speak of identity theft -- fraudulently using someone else's identity to get health care.

    HIPPA was supposed to protect patient privacy. Instead, it merely adds to the mindless and wasteful bureaucracy of health care while institutionalizing privacy invasive practices, giving legal cover to abusers, and criminalizing individual tactics to protect themselves. In addition, HIPPA preempted many state laws that provided better privacy protections than HIPPA.