One In Four Indiana Residents' E-Record Data Exposed in Hack

Reader chicksdaddy reports that a data breach involving four million patients and more than 230 different data holders (from private practices to large hospitals) hit Indiana especially hard. It's the home state of Medical Informatics Engineering, maker of electronic records system NoMoreClipBoard. While data exposed in the breach affected 3.9 million people, 1.5 millon of them are in Indiana. According to the Security Ledger, though: [The] breach affects healthcare organizations from across the country, with healthcare providers ranging from prominent hospitals to individual physicians' offices and clinics are among 195 customers of the NoMoreClipboard product that had patient information exposed in the breach. And, more than a month after the breach was discovered, some healthcare organizations whose patients were affected are still waiting for data from EMI on how many and which patients had information exposed.

'We have received no information from MIE regarding that,' said a spokeswoman for Fort Wayne Radiology Association (http://www.fwradiology.com/), one of hundreds of healthcare organizations whose information was compromised in the attack on MIE..

Figures

[Ol+Olsoc]

The scream bloody murder about HIPPA! HIPPA! and act like you are a trrrist if you ask for your cousin's condition.

Then they give everyone's data away.

Re:Figures

HIPPA discourages unauthorized disclosures, but it discourages looking for these disclosures even more.

Re:Figures

[KGIII]

If I remember the form properly (I am not actually sure I can say this though, frankly, who gives a shit? I think disclosing the form's content was against the rules.) then every single one of the records from the OPM hack was also covered by HIPPA. There are medical questions, including contact information, on those documents some of which are quite specific. Hmm... That should be legal?

I still do not think I needed to fill it out - I had absolutely zero access to any information that would do anyone one lick of good. If you do fill one out, make sure you are complete and honest. They call on people like your best friend's high school girlfriend and shit. Very invasive. I disclosed drug and alcohol use and still was fine. I just needed some data though and all data was accessed on site.

Re:Figures

That's all I need redacted medical records.

What's wrong with me doc?

You have a _____ in your ____ from ______ and ________ you're probably going to ____ in the next ___ ______! If you notice any _______ or ______ you'll need to ______ asap! Any questions?

Re:Figures

"toy car" "rectum" "your wife" "her best friend" "defecate" "four" "hours" "bleeding" "abdominal pain" "visit the ER"

How is this even possible?

Why should a company storing confidential data have any ability to access any part of that data? Especially when there are hundreds of separate owners of the data!

Each data owner should encrypt data before it leaves their site. In fact, individual documents should be uniquely encrypted.

These stories of leaks of massive amounts of data -- again and again! -- just prove that nobody cares.

Re:How is this even possible?

[sumdumass]

I think it has something to do with the online records requirements of the ACA. If you live in Chicago and have an accident while vacationing in Florida, the doctors in Florida are supposed to be able to access your medical records from Chicago without much effort in order to treat you more effectively and timely. Encrypting it would somewhat end that and somehow this is all supposed to be controlled by the IRS who will share information with about 200 or more other government agencies between the state, local, and federal levels.

Re:How is this even possible?

Why should a company storing confidential data have any ability to access any part of that data?

Based on your astonishing insight that companies storing confidential data should not need to access that data, I claim a breakthrough in cryptography! Here is a encryption table that is LITERALLY UNBREAKABLE, even by brute force attacks using NSA supercomputers:
  00: encrypts to 00
  01: encrypts to 00
  10: encrypts to 00
  11: encrypts to 00

Re:How is this even possible?

That's a common destruction table. Cryptography and encryption imply recoverability. Your claim is thus invalid.

Anyway, the issue is just as much about encryption strength, as it is about everything else required to protect the encryption and decryption machines, and every machines and persons physically (in the larger sense of the term, including access through wires, or wireless waves of all sorts, including unintentional EM emissions) able to access the unencrypted or decrypted data.

It would be much, much easier to change the whole society so people wouldn't feel anymore the need to try to access legitimately private data, and it wouldn't matter that much anyway if they did access it, and most health issues would be solved anyway.

Re:How is this even possible?

Cryptography and encryption imply recoverability.

Not when you're drunk!

That was a rough morning after... I never did recover my data. Fortunately I had other backups but they were not complete and it was only a home computer.

Re:How is this even possible?

[mlts]

That is the same principle how a proper BOFH does backups. Everything goes to /dev/null, and is properly "encrypted" with the above table. Fast, few I/O errors, and properly secure.

So Much for HIPPA Rules

[BoRegardless]

Patient records are no more safe than credit card info at your local restaurant.

Re:So Much for HIPPA Rules

[BlueStrat]

Patient records are no more safe than credit card info at your local restaurant.

Well, let's keep things in perspective here. The breach only consisted of intimate medical details of little people.

HIPPA-schmippa, it's not like it concerned something vital to national security to keep secret, like the POTUS' college records or original birth certificate.

I'd bet if Congress and other members of the Federal government were required to participate in the ACA (AKA 'Obamacare') like everyone else, security would be much tighter.

Strat

Re: So Much for HIPPA Rules

[BarbaraHudson]

In the grand scheme of things we already knew that this was bound to happen, and will continue to happen. We need to adapt our attitudes so that we can no longer feel embarrassed by revelations of a personal nature. Everyone will be better off in a future where we are not so obsessed with worrying about our secrets being exposed.

Re: So Much for HIPPA Rules

Hi Barbara, I agree with you, we simply need to adapt our attitudes so we are no longer embarrassed by revelations of a personal nature.

Unfortunately, I'm still one who gets a little concerned about such stuff...even though I was one of many millions compromised by the US Government employee database hack.

Of course one of the problems is that if your name is the same as someone famous, people will start sending you stuff. My name is the same as a former politician. The only good thing is it is hard to find the real me in a Google search. Sure, if you wade through page after page of results, you'll eventually find me.

http://slashdot.org/~BarbaraHudson

Re: So Much for HIPPA Rules

[Damarkus13]

It's not just embarrassing data though. Medical records contain social security numbers. Until we address the fact that anyone with my address, birthday and ss# has full access to my credit, these hacks will continue to inflict serious damage.

Re: So Much for HIPPA Rules

Ok, expose for me right here and now: your full name, date of birth, ss#, address, phone number, primary physician, credit history, loan history, STDs on record, height, weight, picture...

If you cannot, I will take it as you talking outta your ass.

Just wait until the MIB gets hacked

[GerryGilmore]

For those of you outside the field, be very, very worried that these (https://en.wikipedia.org/wiki/MIB_Group,_Inc.) guys get hacked. If you have ever had a medical condition covered by any of our world-renowned Private Health Insurance Industry providers, it's on file here. Enjoy. :-)

Re:Just wait until the MIB gets hacked

[phantomfive]

They've already been hacked several times, but people forgot about it because they were flashed.

clipboards?

[cascadingstylesheet]

What was so bad about clipboards again?

Re:clipboards?

give it a rest buddy

Re:clipboards?

[Z34107]

What was so bad about clipboards again?

Clipboards have a bunch of known deficiencies. They're effectively write-only, especially if no one else can read the doc's handwriting.

Then, they're hard to duplicate. Should you end up in the hospital (heaven forbid), hopefully you're conscious enough to explain your drug allergies to the EMT, because it'll take a while to find out which clinic you normally see and get a copy of their clipboard. Then the copy of the clinic clipboard ends up in the hospital's clipboard, but the stuff in the hospital clipboard probably won't make it back to the clinic clipboard.

There's also only one copy of the hospital clipboard, so the cardiologist treating your heart attack can't put notes in your clipboard if the hospitalist took it to figure out what meds you were (or should be) on. If they do make copies, someone has to make sure the cardiologist's annotations make it into all of them without error. Those charts then have to be stored in a giant bunker somewhere, forever.

Clipboards are also bad at medication safety. When you're giving millions of med administrations to millions of patients, eventually you end up giving the wrong drug to the wrong one. Clipboards can't verify that you nabbed the right patient or the right drug, which kills people once you scale up the mistakes that would have happened to a national level.

Even before the nurse gives the meds, a clipboard can't tell the doctor that one of the medications he's ordering will interact with the medications someone else ordered. That also kills people. If one lot of those medications was tainted and recalled, it's also really, really hard to find out who was affected if all your administrations are documented on paper.

Finally, it's really hard to bill correctly if all of your documentation is on paper. If the coder going over the clipboard misses a charge, the hospital loses out on money. If the coder invents a charge, you lose out on money. If the coder can't find whatever documentation a kafkaesque insurance company demands to justify a procedure, you both lose out on money. Also harder to reject a claim for not being written in blue pen with block caps when the claim is electronic.

There's a bunch of other ways clipboards suck, and a bunch of ways the clipboard-replacements suck, but the former tends to suck a lot more than the latter.

Re:clipboards?

[BlueStrat]

give it a rest buddy

I wish I could, but those who seek personal & political power & control without regard for who or what they harm don't.

Strat

Re:clipboards?

[cascadingstylesheet]

There's a bunch of other ways clipboards suck, and a bunch of ways the clipboard-replacements suck, but the former tends to suck a lot more than the latter.

Fair enough.

Re:clipboards?

[AthanasiusKircher]

Clipboards have a bunch of known deficiencies.

Your post is informative and makes a lot of sense. On the other hand, I think there are plenty of new types of errors which can be created with electronic systems. In particular, when you abstract data from records and substitute codes in, you make it easier for people to stop looking at original records. Those original records might also contain contextual information that would prevent some errors. In most cases, I imagine the benefits of electronic records outweigh the problems, but when you depend on a computer system to check a bunch of codes, it's harder to realize there's an error in the coding compared to a paper record with context.

Finally, it's really hard to bill correctly if all of your documentation is on paper. If the coder going over the clipboard misses a charge, the hospital loses out on money. If the coder invents a charge, you lose out on money. If the coder can't find whatever documentation a kafkaesque insurance company demands to justify a procedure, you both lose out on money. Also harder to reject a claim for not being written in blue pen with block caps when the claim is electronic.

I'd actually like a citation showing the medical billing has improved since the system became all-electronic. Most studies seem to agree that the majority of medical bills these days contain errors. I never realized how bad it was until I switched to a high-deductible plan (for various reasons) a few years ago. Since I had to pay out-of-pocket for almost everything, I started paying detailed attention to medical bills.

And out of all the interactions my family has had with doctors in the past 3 years, at least 75% of them have had billing errors. And it's not just your "kafkaesque insurance company" -- I think we've seen at least 8 different providers, and the majority of them have made billing errors. I'd say the insurance company was responsible for maybe 1/3 of errors at most... it's primarily the providers.

As part of my plan, I'm supposed to receive a free annual physical. The first year, my doctor's office filed the claim FOUR TIMES and each time made different coding errors. Finally, the last time they ended up double-crediting me on something, and I ended up $5 ahead of what I was supposed to pay, so I just gave up. Last year, I tried to fix this problem by bringing in a copy of the relevant page from my benefits booklet explaining exactly what was covered in a routine exam, and requesting that the office ONLY perform those procedures. They still screwed something up. A family member saw a different doctor and did the same thing, and both the insurance company and the doctor's office made errors -- which combined resulted in four charges we weren't actually responsible for.

Medical billing in the U.S. is a disaster. I don't think most people seem to notice, because insurance "covers it" and so people just pay their $20 co-pay for most things and moves on. For those poor people who actually need to pay bills (and people who elect to through a high-deductible plan), it's beyond kafkaesque.

I'm not saying clipboards would fix this problem. But if documentation were actually attached to most things, rather than existing only as random billing and procedure codes, I'd imagine it would be easier to track things down. As it is, I find it next-to-impossible to even resolve billing errors because all the statements I receive from the physician and insurance company have a bunch of numbers and too little explanation of what they are actually doing. I have spent hours examining the bills, matching up charges (since they aren't reported the same), then querying the insurance company (who, when pressed, will actually tell me what the diagnostic codes mean), which I then have to call the doctors office and force them to code them correctly, rather than using some random diagnostic code for something I didn't even have.

I've talked to ot

Re: clipboards?

Clipboards don't cost millions of dollars our require armies of consultants who don't know what they're doing. They don't provide bragging rights for hospital boards full of know nothing rich people who think they're useful, or corporate boards which are largely the same.

Bottom line is you can't get rich off of clipboards and that's what's 'wrong' with them.

Re:clipboards?

[BlueStrat]

Well, let's see how many mod points you're willing to waste.

What was so bad about clipboards again?

The data on those clipboards are not as easily & quickly accessed by the current administration's political operatives seeking to damage/destroy their political opposition and suppress grassroots movements.

What, you thought there was any other reason that actually mattered to those in power?

Strat

Re:clipboards?

[Z34107]

I won't disagree that medical billing is still a nightmare, but it's not the fault of CPT codes. No insurance company will sign a blank check and ask the doctor to fill in the amount; they all have a maximum they'll reimburse for, say, a broken leg, and they'll reimburse "broken leg" differently for a simple fracture than an unexpected amputation that took a crack team of surgeons 32 hours to reattach.

The codes are just a standard way to quantify exactly what was done. The "standard" part is important since most docs wouldn't be able to deal with more than a single insurance company if they all spoke a different code set. Absent a code set, it's much harder to determine how much your treatment should have when all you have are subjective descriptions from multiple doctors about what each thought they did. Codes remove that ambiguity, which insurance companies otherwise use to delay paying you and the hospital for as long as possible.

Generating the codes in the first place is complicated in the clipboard world, where a medical coder has to pore over sometimes hundreds of pages of scribbles to find out whether your vitals ever spiked into a danger zone that would have required more frequent nursing attention (at a higher cost), whether you were ever given certain kinds of medication, and, more subjectively, trying to divine what you actually had from the doctor's free-form notes, and what codes best describe that particular malady. Since this requires examining linear yards of flowsheet annotations (where an individual, critical cell might be missed) and subjective interpretation (does this description of a fracture qualify for Break-1 or Break-2?), different medical coders can end up coding the same chart differently.

Computers, in theory, can solve this. The computer knows exactly which medications you were given, how often, and at what cost. It knows exactly how often nursing took care of you, and can unambiguously determine your acuity. It knows every human in the operating theater, how long they were there, how much they cost, and every roll of gauze they used. Even free text notes are often templated, with doctors filling in blanks on standardized forms with multiple-choice answers, each of which can be unambiguously evaluated. Computers can instantly and unambiguously determine who too care of you, exactly how much it cost to take care of you, what codes best describe those services, and can communicate that information electronically to your insurers.

Where this falls down is a lot of computer systems grew organically--first a program for scheduling, then a program for billing, then a program for tracking clinical notes, then a program for monitoring vitals, etc., rather than some comprehensive monolith springing forth fully-formed right at the start. This means that to bill for a pregnancy, a medical coder might have to hunt through a dozen different systems: An ADT suite to determine where the patient was roomed and for how long, since a regular bed costs much less than intensive care. A specialty labor and delivery system, to gather the myriad of data states and to defend against lawsuits. An often separate fetal heart monitoring suite. An often separate ultrasound modality, with its own operating system that may or may not speak industry standards, that may or may not pair with a separate vendor-specific image viewer on computer workstations. A separate OR suite for doing documenting personnel, and doing counts and checks (to make sure you're billed for the roll of gauze they did use, not billed for the one they didn't, and that neither were left inside you.) A still-separate anesthesia suite, to make sure they don't gas you to death. An inpatient system for tracking medications and vitals, which may or may not be missing the medications and vitals collected by the labor and delivery suite, which may or may not have the vitals collected by the fetal heart monitor, which may or may not have the vitals collected by the OR suite for your C

Not good enough!

Only one in four? Lame. They need to sweep up the other 75% of medical records from Indiana. Go big or go home!

Indiana wants me....

[turkeydance]

..old song: https://www.youtube.com/watch?...

HIPAA is irrelevant... attacks are past stopping

I hate to be a doomsayer, but with the way weapons have surpassed armor, security is almost a pointless battle for companies. If the biggest, most secure organizations in the world (Sony x 2, Target, OPM) can get breached, anyone can.

Take network security. Backdoor in appliance gets an attacker to the management network from there, the TFTP server. From there, copying a modified config. IDS/IPS systems are pointless, as big companies already have these. Same with AV.

Take privacy. Show me one single Web browser that can pass the Panopticlick test and not have an individual fingerprint. One. The hackers and the ad people know who you are no matter what you do with cookies and LSOs.

Take malware. All it takes is one infection on a PC, and firmware on a video card, BIOS, hard drive, or many other subsystems can be updated so malware can load back in. This isn't new. Macs since the 1980s had the SCSI hard disk driver load code the second it saw the drive, so placing malicious code there would be trivial, and at the time, there were zero defenses. Modern malware goes through the Web browser, which runs with a full user context, and is commonly subverted via an add-on.

Take the system of updating PCs. All it takes is to subvert Microsoft's, Apple's, Adobe's, or anyone's update mechanism, and you can pwn PCs at will, with no way someone can trace it back.

Take physical attacks. Take the US, where 99% of locks on doors are bumpable. Even the boffins showing off their high security card readers have pin tumbler locks that can be opened with a pick gun (not even Medeco, and definitely not Abloy.)

Take economies. The US economy is so shitty, almost anyone can be bribed.

If the bad guys can't find a way in through some other compromise, they can browbeat someone for access. Dress up with a suit, get in someone's face that one is an auditor with so-and-so law firm, or a representative of the BSA, then scream in their ear that they will be fired or arrested if they don't hand access over -STAT-, the intruder can get into virtually any server room out there. Bonus points if they do a tiny bit of homework and drop a name or two. They can easily wind up screaming at someone, (think "command voice"), and said IT person gladly handing over the enterprise admin credentials even after their ancestry was questioned, capability to reproduce was asked about, capability to work was doubted, and their family's ancestry as sentient creatures was brought to question.

How can HIPAA do a single thing, if any known security precaution that is mentioned is roflstomped in days? No law is going to help in this case. If laws could, they would be implemented and in place, just like the DMCA.

TL;dr: You cannot win, and if a hacker wants your shit, they got it.

Wow, the mods here are racist

You got marked as a troll very quickly. Telling the truth here will get you banned and your posts deleted. Deleted.

Re:Wow, the mods here are racist

Slashdot posts do *not* get deleted. Please stop repeating this lie.

Re:Wow, the mods here are racist

[TrimTabTim]

Might be technically true that they aren't deleted, but they can get marked "off topic" and disappear from all but the most determined efforts to find them.

Deleted versus sent to the nether-worlds. No diff.

Re:Wow, the mods here are racist

That little slider thing at the top of the page? It is not just for looks.

Re:Wow, the mods here are racist

[Chris+Mattern]

Might be technically true that they aren't deleted, but they can get marked "off topic" and disappear from all but the most determined efforts to find them.

Because selecting "-1" from the drop-down box is soooo hard...

Re:HIPAA is irrelevant... attacks are past stoppin

[phantomfive]

If the biggest, most secure organizations in the world (Sony x 2, Target, OPM) can get breached, anyone can.

I don't think anyone ever said they were the most secure organizations in the world. In the case of Sony specifically, their security was notable for its poor quality.

Meanwhile

No government employee is fired. Ever. No matter how incompetent they are. If you get lucky, sometimes they resign out of shame. Otherwise too bad, they're stuck there.

MIE or EMI?

Medical Informatics Engineering is MIE. Okay I'm with you. EMI appears to be a typo, but it's used to many times that I can't take the article seriously. I don't think they are referring to electromagnetic interference or a record label.

Re:HIPAA is irrelevant... attacks are past stoppin

Has there been a break for the PS4 yet, or a break for Blu-Ray or BD+?

Sony seems pretty secure to me. At least their technologies.

Re:HIPAA is irrelevant... attacks are past stoppin

[phantomfive]

Has there been a break for the PS4 yet, or a break for Blu-Ray or BD+?

Yes.

Re:HIPAA is irrelevant... attacks are past stoppin

[dbIII]

Spot on. I'll bet in both cases there are plenty of stupid shortcuts that would induce facepalms or "I told you so" on a lot of the readers here.
Last year I had one idiot ask to put the phone system he was sometimes called out to work on onto the internet with telnet access - with no password! Another wanted direct RDP access to a machine over the internet. Neither of course seemed to have heard of a VPN or gave a shit about security - people who actually do what these idiots say are probably going to get burnt within days with the number of bots out there scanning for stuff.

Re:HIPAA is irrelevant... attacks are past stoppin

[phantomfive]

Last year I had one idiot ask to put the phone system he was sometimes called out to work on onto the internet with telnet access - with no password!

Wow.

de haxxorz r in indiana nao

lessee were dey hit next

Indiana is for cows.

You are all cows. Cows say moo. MOOOOOOOO! MOOOOOOOOO! Moo cows MOOOOOOOOO! Moo say the cows. YOU COWS!!

Re:Indiana is for cows.

You are all cows. Cows say moo. MOOOOOOOO! MOOOOOOOOO! Moo cows MOOOOOOOOO! Moo say the cows. YOU COWS!!

Words of wisdom.

Re:HIPAA is irrelevant... attacks are past stoppin

[dbIII]

It was the same guy that put an open drink can down on a large live UPS after someone let him into the server room so it's possible that stupidity has killed him by now.
Turns out the "new" phone system is a ten year old model - so telnet in with no password to change the settings and he wanted us to unblock and port forward telnet to the thing. I wonder if he convinced someone else in another place and who is getting free calls out of diverting through hacked phone systems?

So yes, these sort of people are around trying to convince anyone who will listen to punch huge holes through security to make it easier for them to support their crap devices. See the Target hack via an alarm system as an example.

what a bunch of bullshit

[waspleg]

You're a liar or a troll. It's as simple as that. I've lived in Indiana my whole life and experienced, firsthand, racists of all colors (you did know that anyone can be a racist, right?) but they're far from the majority. Stop playing the victim, bitterness like this doesn't do anything but keep you locked in and your eyes closed to reality.

What does NoMoreClipBoard run on?

[nickweller]

What operating system platform does NoMoreClipBoard run on and technically speaking, how exactly was the hack implemented.

how were they "hacked"?

[McShoggoth]

I'm betting they weren't. I'm betting what happened is that the hospitals or the healthcare tech co. has weak ass verification measures when it comes to people resetting passwords. And so the hackers didn't do much hack anything as simply make a phone call or two and then walk right in the front door. No encryption to stop them. And since I that scenario they'd be using the ehr system directly that explains why there wasn't a loss of all data but rather a sort of "picking through" of data. The articles don't say how it was done. I'm betting it has nothing to do with cracking their ultra sophisticated hardware. If you haven't worked at a hospital in the IT dept then you have no idea the ease of which these places could be compromised. And the blame goes to several groups for not fostering the kind of ethos that puts a high value on security. The IT dept usually tries to do that but there's no one on the clinical side backing them up. So IT is secure, but clinical doesn't care and they're the ones who have access to all the records.

Mitch Daniels former Gov -- did he outsource this?

[jsepeta]

Governor Mitch Daniels outsourced the unemployment database, and slashed the budget for job training for the unemployed in an attempt to keep Indiana "in the black". As a result, there are fewer IT jobs in Indiana, and those who are trying to jumpstart their career are generally-speaking, FUCKED. I wonder if any shortcuts were taken with their statewide medical patients database? It wouldn't surprise me.

Case history

[fulldecent]

Does anyone have a list available of HIPPA-actionable, large-scale data breaches in the past and ensuing convictions or case outcomes / penalties from such?

NSA beats that 1 in 4

[johncandale]

Meanwhile 4 out of 4 Indiana's complete records plus cell tracking data has been exposed by the NSA