Slashdot Mirror
'Wall of Shame' Exposes 21M Medical Record Breaches
Lucas123 writes "Over the past three years, about 21 million patients have had their unencrypted medical records exposed in data security breaches that were big enough to require they be reported to the federal government. Each of the 477 breaches that were reported to the Office for Civil Rights (OCR) involved 500 or more patients, which the government posts on what the industry calls 'The Wall of Shame.' About 55,000 other breach reports involving fewer than 500 records where also reported to the OCR. Among the largest breaches reported was TRICARE Management Activity, the Department of Defense's health care program, which reported 4.9 million records lost when backup tapes went missing. Another five breaches involved 1 million or more records each. Yet, only two of the organizations involved in the breaches have been fined by the federal government."
With their wallets?
Wasn't there an article recently on Slashdot about how the IRS is likely to pay $21 billion dollars over the next 5 years because of identity theft?
On March 9, Blue Cross Blue Shield of Tennessee (BCBS) was fined the maximum $1.5 million for 57 unencrypted computer hard drives that were stolen from a leased storage facility in 2009. BCBS has since encrypted all of its hard drives, representing 885TB of data.
BCBS said it spent more than 5,000 man-hours on the encryption effort, which cost the company $6 million.
Say they used new HHD-s at $100 for a 1TB HDD -> HDD cost=$88,500. F*** it... let's be generous and say all the equipment amounts for $1M.
The rest should be labour-cost, isn't it? Which means $1000/h... Seems to be a good trade to be in.
Questions raise, answers kill. Raise questions to stay alive.
In this case, what you suggested amounts to "government should punish itself" - something not very common for the US govt, wouldn't you say?
Nor terribly productive.
At best, they increase their budget by the amount of the fines, and then raise taxes to cover the increased budget.
At worst, they pay the fine without increasing their budget, and make cuts elsewhere... thereby ensuring that not only is there no money to improve the security that led to the first breach, but now they are probably running shorthanded increasing the odds of a second breach...
Punishing governement and large corporations is generally meaningless. We have to pierce the veil and go after individuals within them... fine or even imprison them personally.
And why do we care who has our medical information?
Because in the US, we've decided that the only people that get health care are those with jobs. So getting a job is deeply tied to one's state of health. Accidental leaking of your health care information could lead to losing your job, or failure to obtain one. Other laws try to tackle that, but nonetheless, we all have the fear that if our potential employer (especially) knew how much we might really cost, we wouldn't get that job. And the fact of the matter is that no employer wants to employ a sick person if they can help it.
We'd be better off decoupling health care from employment. One side effect would be that medical information wouldn't be so secret. This is rather important when you consider that that information should perhaps be shared among health care providers, patients with the same ailments, and especially, family (possibly distantly related but genetically susceptable, for instance).
1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
"Among the largest breaches reported was TRICARE Management Activity, the Department of Defense's health care program, which reported 4.9 million records lost when backup tapes went missing."
Submitter should have dug a little bit further. TRICARE was the agency where the records originated, but SAIC was the "business associate" that actually lost the records belonging to TRICARE.
Criminal charges against the CEO, CIO and CSO level. Or at least civil charges.
I'm currently working on a project with a major regional medical HMO. What I've found in 3 months of digging makes me want to *never* have a friend or family go to any of their affiliates. There is zero recognition of privacy -- admins are routinely passing round medical records of celebrities. Their idea of 2 factor authentication was forcing someone to login with the same credentials twice in a row. What appears to be security (doctors, nurses using RFID badges to login and out) is theatre only -- only a single ID is associated with all RFID badges for logins. A complete farce.
Why? Because even when caught there is no penalty. Make the penalty meaningful to the people running things, and you'll see cultural changes pretty damn fast.
I go the other route. I have so much debt in medical bills that only a fool would try to steal my identity
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
If you read the article, you will see that the main problem is of proper handling of the backups, not the actual server application or database, or with other words, here the problem is the "meatware", not the "software"