Slashdot Mirror
Why Chinese Hackers Would Want US Hospital Patient Data
itwbennett (1594911) writes In a follow-up to yesterday's story about the Chinese hackers who stole hospital data of 4.5 million patients, IDG News Service's Martyn Williams set out to learn why the data, which didn't include credit card information, was so valuable. The answer is depressingly simple: people without health insurance can potentially get treatment by using medical data of one of the hacking victims. John Halamka, chief information officer of the Beth Israel Deaconess Medical Center and chairman of the New England Healthcare Exchange Network, said a medical record can be worth between $50 and $250 to the right customer — many times more than the amount typically paid for a credit card number, or the cents paid for a user name and password. "If I am one of the 50 million Americans who are uninsured ... and I need a million-dollar heart transplant, for $250 I can get a complete medical record including insurance company details," he said.
Time to add DNA information to our medical records!
Time for medicare for all in the usa also the million-dollar heart transplant is loaded with markup where you can likely go out side of the usa and pay way less for it.
also due to court rulings in favor of inmate care you can just go to prison / jail to get one as well.
http://www.cbsnews.com/news/pr...
Are there documented cases where the uninsured poor have bought blackmarket medical records to get healthcare? This seem preposterous.
and more likely some hacker group wanting to sell SS# and CC# on the black market.
That's my opinion.
"a person could use the stolen data to convince a hospital they are insured and receive treatment, Halamka said."
until the hospital asks money from insurance company.
You used an example of a data breach where no medical information was stolen to explain why hackers would want medical information. RTFA before you link to it in a new article.
whenever some company starts offering low-price transplants to the uninsured poor, you'll have your answer.
The thesis is that you can waltz into a doctor's office AND a hospital with faked records and get the treatment needed. Basically the important bit is the insurance info - what has happened to "you" is less important than what you want to eventually happen to you (in the example given, a heart transplant).
I kinda doubt this, at least in a general sense. First off, you can show all the insurance cards and 'insurance info' to the medical provider all you want. The provider is going to query the insurance company before doing anything expensive. Fine, you say, call them all you want, the 'patient' is insured (it's just not the right patient). Now comes the hard part. The minute that the insurance company starts getting claims from both Peoria and Trenton, NJ flags are going to go up. Other old records would be sought (for something big like a transplant or joint replacement) which would likely not match.
Anything remotely resembling a heart transplant is going to fall apart unless both the real and fake patient have nearly identical physiques, ages and problems. More routine issues could go undetected for a while but persistent discrepancies would show up and as soon as the insurance company flagged the claim as problematic, big ticket items would be placed on hold until things go cleared up. When I worked in an early Medicaid HMO in the 1980's we had some problems with folks 'sharing' the Medicaid ID card (no picture, just a printout basically). It was pretty obvious when the patient's weight varied 30 pounds every other week. We soon insisted on photo ID.
And, in fact, the feds also insist on photo ID these days. Yes, if you're bleeding out we don't ask for it up front but as soon as your blood pressure normalizes we're poking around to figure out just who you are.
So it's possible that that full on medical records might be of value, but it's going to be much harder to monetize than a credit card number and likely would be of limited use. That doesn't mean that the information shouldn't be sealed up, of course. I'm just not sure how big a deal this is. And, in the case of the Community breach, they apparently did not get that information anyway.
Faster! Faster! Faster would be better!
This article sounds more like a lame attempt to justify obamacare than anything else. "See, we should have universal care because hackers!"
If I am one of the 50 million Americans who are uninsured ... and I need a million-dollar heart transplant, for $250 I can get a complete medical record including insurance company details
Something tells me it would be a little trickier than that given all that is involved in that million-dollar heart transplant. Not to mention all the local news coverage, the calls to the insurance company prior to surgery given the high cost of the surgery, getting on the waiting list, etc, etc. Not to say that it's not possible that people buy the records for getting medical care, but maybe that example isn't the best in the world.
In reality, I imagine it's the SSN coupled with a wealth of information about that person that is really what is so valuable. That can be used for any number of things other than medical care specifically. It's only naturally to link the source of the data to the ultimate purpose, but in this case I don't think they are so closely intertwined. It's simply valuable data held in a hospital network.
The parasites in congress are the problem, not the answer. They're feeding their friends, the lawyers. Let's be honest; It's a lot better for me to order tests than to evaluate a person. The insurance company doesn't pay me to do the latter, and the lawyers are waiting for me to do the former. The more tests I do, the harder a case they have to demonstrate, and the lower my insurance, so higher my profit. It's really simple. Keep electing your lizards instead of their lizards, and healthcare will continue to be defensive.
Medical records are insecure... so it's time to migrate to a system like the UK where they contain comprehensive information about each person? Am I actually reading this?
Until patient confidentiality is enshrined into laws with real teeth and my insurance company, employer, or local black market guru can't get their hands on them I think I'll pass.
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
No, it's the people with diabetes, or cancer. You steel a record that is as close as possible to your own, and you use it. God help the real patient, who has to worry about doctors looking at the thieves' medical results.
excitingthingstodo.blogspot.com
Only proves health-care should be a universal right, then you wouldn't have any fraud with patient records...
duh...
to all the important or otherwise image conscious people who have diseases and conditions they don't want made public.
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
Sorry, our DNA is copyrighted and adding it to our records would be an infringement on the copyright.
THANKS OBAMA
There is Insurance Fraud.
This isn't being collected for individuals. That's to much work. It will be used for bulk insurance fraud. A portfolio of bogus patients to be mixed into a doctors insurance billing.
No one is uninsured now. Obamacare magically fixed that on January first, 2014. This article must be all FUD and spin.
This would show up on a monthly EOB statement.
Where have seen a million-dollar heart transplant bill? Prove it!
The reason people can't get heart transplants is a lack of available heart organ donors. Under US law, organ donation has an "opt in" rule, one must sign a document (e.g. the driver's license) to be a donor. Compare this to junk mail or SPAM which is an "opt out" rule.
Spain changed its laws (in the last decade?) to an "opt out" organ donation rule. This increased organ donation significantly. Other organs are more readily used, since kidney, skin grafts, & even corneas are in better condition at death.
I don't think the data is private primarily to prevent fraud. My first guess was medical tourism. Overseas drug prescriptions, &c. &c.
So it's not for the name, address, date of birth, social security number etc. that can be used for any lucrative form of identity theft? That's a relief!
I'm not an expert, but I play one on slashdot.
If I am one of the 50 million Americans who are uninsured ... and I need a million-dollar heart transplant, for $250 I can get a complete medical record including insurance company details.
It would be less painful to just kill yourself than to receive an organ transplant based on someone else's medical record and then wait for rejection to set in.
I'm serious. Where did you go to school? Because I want to make sure that absolutely nobody I know goes there. Wow. If your plan was to take the daily prize for grammatical errors, missing words, lack of sense, and so on, well, congratulations as we have a winner.
You're (you might notice that I spelled that correctly) the only person I know of to ever mention individual state laws as a health care problem. A law can simply be passed making health care a federal matter to deal with that. And tuition to medical schools has always been high. This is not a recent occurrence. Outside of Los Angeles there just aren't all that many plastic surgery doctors so that's not really a problem either. However, this a shortage of general practitioners among younger doctors and that is because it doesn't pay as well as specialty medicine does, but doctors are going into all the specialist fields. There's no explosion of cosmetic doctors. And the system can only support so many specialists. Every medical school candidate simply can't go into the same specialty because there aren't enough training opportunities.
Getting a record that is close to your own would be of no benefit. If you need a heart transplant, you get the records of a patient that is worse off than you, so that you can gain a better position on the transplant waiting list.
When our name is on the back of your car, we're behind you all the way!
It's FAR more likely they use that information to bilk insurance companies directly.
These records may well have been stolen for the value of a selected few of the records. Chinese intelligence may not be interested in insurance fraud, but they certainly are interested in collecting intelligence on (some) American citizens. Think politicians, defense contractors, key employees of sensitive agencies (DOE/DOD/DOC/DOS/DARPA), etc. Medical information on such targets can be very valuable.
"People without health insurance can potentially get treatment"!. "Instead of just dying as they should!", they could add. This statement alone show how beautiful your society is. You let people die (no, the right word is kill them) because they don't have money. Well, you never know when this debt will be repaid, so, think about it...
They were looking for ancient Western secret to short life.
This is just more evidence that the medical industry is not prepared to provide adequate protection for online medical records. I remember a televised discussion of online medical records and privacy concerns. The reporter asked the executive in charge of a major online records project about the potential security risks of online medical records. The exec replied "Well, we use a username and password for access, so it's secure" (cue face-palm). I know HIPAA compliance does a lot, but we have hospitals that are more than a decade behind the times in terms of security, they are not at all prepared to provide online access to records and patient privacy from determined hackers.
So that they know who to send the "we realize you're not getting decent healthcare but come to China and have that rectified asap" letters?
Requiem for the American Dream
Though I did like: "The situation is different in a country like the U.K., where the National Health Service assigns a unique ID number that ties patients to centralized medical records." - because that's nothing at all like the function the stolen SSN is performing in this case. I guess those unique ID numbers are unstealable...
I'd put "the Chinese are clearly using the information to get US passports with the ID information so they can sneak they're spies into the the US more easily" above "people want it to get a heart transplant under someone else's name" on the likely to happen list.
These days, I don't blame China, Russia, or whomever the finger is pointed. It is similar to blaming whomever picks up a $6,000 racing bike that is sitting on a street corner with no lock on it. Yes, the thief stole it, but there is responsibility on the owners's part to at least toss some type of lock on it. The car analogy would be blaming people because someone left their high-zoot sports car with the engine running. Yes, a theft happened, but the driver was foolish for leaving it ready to be taken.
I blame companies for falling into the "security has no ROI" trap. I also wonder why HIPAA isn't enforced, or at least some auditing is done for assurance reasons.
This isn't rocket science here. Cisco fabric is common and it is fairly trivial to put firewall rules in place to separate departments. On the cheap, Cisco ASAs are a couple C-notes on the low end, and if configured with any sanity, they are not going to be hacked barring a backdoor in IOS [1]. The sensitive machines can be locked down with many utilities (AppLocker comes with the OS, for crying out loud, and on machines in finance, let people have a remote desktop to a server for viewing the Web as they please, while keeping some isolation in place, and lock everything else down.)
Basic security doesn't even require a CISSP. Yes, people bash the NSA, but NIST has some very good guides and checklists to start out with. It is obvious stuff, for the most part, but reading the guides for operating systems usually turns up small things that one tends to miss, such as on AIX, using trustchk to limit what executables are in use, or turning on end to end transport encryption via TLS on Exchange so sites that have a lot of E-mail going over the Internet can use encrypted tunnels for their messaging. On Linux, turn on AIDE (functionality similar to Tripwire), save the private keys on a USB flash drive, then run scans every so often. In the US, it is taxpayer dollars used wisely. If needed, grab a freeware SCAP tool and an XML file, do a scan, then decide if you want to bother with the results it comes up with.
Windows has plenty of security tools in the OS. It is harder to -not- lock down Windows Server 2012 than it is to lock it down.
For the tl;dr crowd... I am starting to blame the Chinese less because, in general, the lack of security of US companies makes things a free for all. Following even basic security precautions that are baked into the OS would make the availability of patient medical records to unauthorized parties a lot tougher.
[1]: Not iOS, IOS, which Cisco used for a name for decades, and IBM uses the same name for the scaled down AIX version that is on the VIO servers. oem_setup_env is your friend.
The reference claims medical identity theft is the most common type of identity theft. but I dont beleive because there are relatively few cases in news about it compared to fake credit card and account withdrawals. It might be source of the most general identity thefts, due the looseness of medical record keeping.
"a person could use the stolen data to convince a hospital they are insured and receive treatment, Halamka said."
until the hospital asks money from insurance company.
Why do you think they'd have a problem with that? The same information you're giving the care provider is what they'd send to the insurance agency. They're even less likely to know you aren't the insured - at least the care provider saw you in person. They just tell the insurance agency that so-and-so came in to do x, paid $y copay and here's the bill for $z. Until the insurance company sends you a notice of how you've used your benefits, or unless the person has tried to do something outside of your plan or that otherwise contradicts your medical history somehow, who is going to notice, how, and when?
"IDG News Service's Martyn Williams set out to learn why the data .. was so valuable. The answer is depressingly simple: people without health insurance can potentially get treatment by using medical data of one of the hacking victims."
And the people seeking such medical treatment wouldn't be aware that their medical history would be totally different than the real patent. And the medical establishment wouldn't be able to detect then the same people applied for medical treatment in two seperate medical facalities. This whole story is just so much cyber bullshit, an excuse to insert a free advert for some American medical insurance company.
I occasionally get pre-recorded telemarketing calls to my cell phone (on the DNC) from a "National Crisis" about drug/alcohol abuse. If you press for any information, they hang up with no explanation. If you are on a State or Federal program (Medicaid, Medicare), they quickly hang up. They demand you to give them your medical insurance info so they can "help you find a suitable treatment program", but if you ask for an address, website, or do nearly anything but mindlessly comply, they quickly hang up. Lots of complaints on 800notes.com and other related web sites.
See subject and do what it says
He's racist pure and simple. It always shows in his writings. For instance in that original post he refers to "el presidente" and illegal immigrants in the same sentence. I wonder what race he could be thinking of? You correctly hit the nail on the head with your assessment of his slip and I have to say his reply to you is the sorriest save I've seen in ages. He is always running his mouth in any of these threads where he can bitch about poor minorities. This one is no different.
But I thought now with Obamacare free health care grew on trees.
Nobody is getting a heart or kidney transplant by stealing someone else's medical identity, that's just ridiculous, impersonating someone else's medical history is not going to result in proper diagnosis or treatment.
A +2 Hell yeah! to you sir!
Best retort to Grammer/spelling Nazi I have seen yet.
It always amuses me how the pendants seem to exemplify the very things they wish to bitch about.
The worst being the ones who like to use antiquated meanings or rules that have long since fallen out of conventional usage.
The world owes you much for this post. (^;
Donald Trump, on a crusade to make Nixon look respectable
Better check your history.
NO Republican voted for the PPACA health care bill. It was passed on a holiday evening by a vote on strictly partisan lines. 34 Democrats voted against it. Practically no one had even read the 2700 page bill (I did, eventually). The day after the House passed the Senate bill, the House tried to repeal it.