Six Missing HDDs Contain Health Information of Nearly a Million Patients

Lucas123 writes: Health insurer Centene Corp. revealed that it is looking for six HDDs with information on 950,000 customers that went missing during a data project that was using laboratory results to improve the health outcomes of patients. The drives not only contain sensitive personal identification information, such as addresses, dates of birth and social security numbers, but they also contain health information. "While we don't believe this information has been used inappropriately," said Michael Neidorff, CEO of Centene.

Editing

"While I usually praise the high standard of editing," said readers of Slashdot everywhere.

Re:Editing

[GroeFaZ]

Good thing /. has editors, otherwise every shmuck could post anything he wants, without regard to basics like complete sentences.

Re:Editing

In my opinion, otherwise every schmuck.

This is why we need givernment-controlled.,,

healthcare, but those republicans won't let us have it.

Re: This is why we need givernment-controlled.,,

Bernie is the only person that has offered a true solution.

Re: This is why we need givernment-controlled.,,

Those republicans shoved the ACA down our throats

Re: This is why we need givernment-controlled.,,

They want our personal health information to be make public.

Re: This is why we need givernment-controlled.,,

You just know they ordered this corporation to do this

Re: This is why we need givernment-controlled.,,

They will destroy us all.

Re: This is why we need givernment-controlled.,,

We have no hope.

Re: This is why we need givernment-controlled.,,

Bernie us our only hope. He is the only person with a plan.

Re: This is why we need givernment-controlled.,,

Just as they wont let us have privacy.

Re: This is why we need givernment-controlled.,,

We're left helpless watching corporations destroy our lives.

Re: This is why we need givernment-controlled.,,

It is dangerous to fight them

Re: This is why we need givernment-controlled.,,

[WarJolt]

I just think it's hilarious you can take away everything that makes a free market insurance plan really insurance and expect Americans not to notice. I disagree a lot with what Bernie believes in, but he's the only Democratic candidate that actually says stuff that doesn't sound like complete lunacy when it comes to healthcare. Obama Care is a means to an end which is a single payer system. I'm not saying I agree with that, but the Obama Care system will collapse into a single payer or back into a free market insurance system. Although the middle ground may have been easier to pass than single payer, it's simply doesn't work. It was useful at setting up bureaucracies though.

With that said the government has a terrible history with protecting our information. I wouldn't hold then up as a shining beacon of light if I were you.

Re: This is why we need givernment-controlled.,,

Personal health information wants to be free, or so the Open Sores folks told me.

Re: This is why we need givernment-controlled.,,

Yes, goy. The geriatric communist cuckhold is the best choice for president. I mean, his special snowflake type of communism has never been tried before, so it will work, right?

Re: This is why we need givernment-controlled.,,

the Obama Care system will collapse into a single payer or back into a free market insurance system.

I don't really mind paying taxes for other peoples healthcare. If that means that they take care of their issues before it becomes a problem then it means that more people will get back to work and share the cost.
What doesn't make sense is to have the government pay the insurance company. The function of an insurance company is to pool/average costs among a lot of people. Taxes serves the same purpose.
Having both only means that you pay for administration twice without any added benefit.

With that said the government has a terrible history with protecting our information. I wouldn't hold then up as a shining beacon of light if I were you.

While true, free market doesn't even attempt to protect it.

Re: This is why we need givernment-controlled.,,

Huh? Obamacare is about forcing people to buy PRIVATE insurance. How is this a single payer system?

Re: This is why we need givernment-controlled.,,

[Impy+the+Impiuos+Imp]

They view it as a large "click" in the ever-leftward ratchet.

"Reducing costs" involves treating the current medical treatments as a static tree to be plucked, hunter-gatherer style, rather than being a transient state in ever-increasing number of treatments and cures which, by definition, costs more.

Unlike a car or TV, medicine is a suite of different things, and you want corporations adding options hand-over-fist. There is simply more to buy year after year, and it naturally costs more.

How much more are new treatments desired than an iPhone? This driv3s investment. You will no more have new medicine at current rates (which is what saves lives) than you would have an iPhone under a single payer phone system.

A single-payer medical system is about as sensible as a single-payer consumer electronics system. Anyone wanna bet the rate of invention will keep up?

Not me, man. I want new stuff, electronics and medicine.

Re: This is why we need givernment-controlled.,,

A single-payer medical system is about as sensible as a single-payer consumer electronics system.

Of course, that's why basically every other industrialized nation has a single-payer system, and why our health care costs are the highest while actual medical outcomes are among tho worst.

Re: This is why we need givernment-controlled.,,

America's healthcare costs are the highest because it's literally the only place that any money is available for R&D. All those countries that have single-payer? We're subsidizing them. And people say Americans don't support communism, we do it every time we go to the doctor or buy medicine. Only we're subsidizing the R&D that the entire world benefits from. Shove your single-payer up your red commie ass.

Re: This is why we need givernment-controlled.,,

Ummm what? The pill industry does most of the r&d. I don't see insurance companies doing r&d at all. The pill industry will be rich either way.

Re: This is why we need givernment-controlled.,,

That's how those rich white men be.

Re: This is why we need givernment-controlled.,,

[Greystripe]

The difference between a company losing your information and the government losing it is very simple. You can sue the company and the government will enforce the ruling should you win. If you attempt to sue the government not only can it decline to accept the suit in the first place but it can also choose how or even if it will enforce the ruling should you win.

Re: This is why we need givernment-controlled.,,

[dave420]

A single-payer medical system can be just as advanced as a private medical system. We see this every single day with new procedures being developed, tested, and made available to the general public in the many countries with single-payer systems. Quite a few of those systems have better outcomes than the US system for a whole range of diseases.

You've been lied to, and now you are arguing against your own future. Good jerrrrb!

Re: This is why we need givernment-controlled.,,

[dave420]

You really believe that? Take a look at the medical research coming out of those countries before you proudly tell everyone just how little you know.

Researchers!

I had an immediate family member doing federally funded research for a state university with "human subjects". The requirements for protecting the data was very clear. The competence of anyone in the department to know how to protect that data was not evident, because it wasn't a computer science department.

In the end I hosted the data and nothing bad happened. But I imagine that most personal data used in most human subjects research is kept in a ramshackle mess of spreadsheets and R files on laptops with no version control, backups, encryption, integrity protection or firewalling.

Re: Researchers!

[WarJolt]

Researchers don't need SSN for patient. Just assign each patient a number and refer to them that way.

The CS professional should have sanitized the data before releasing it.

Re: Researchers!

[tlambert]

Researchers don't need SSN for patient. Just assign each patient a number and refer to them that way.

The CS professional should have sanitized the data before releasing it.

In this case, the intent was to use the lab results to ensure improved patient outcomes. This means that the data had to be trackable back to the patients that provided it, and then the lab results were to be fed back into the treatment of said patients.

So this was technically not "human trials research", it was a bioinformatics business process to manage outcomes. As such, it's HIPAA protected, certainly -- but also, 100% personally identifiable.

For the people I know who have bought private insurance, or participated in one of the exchanges, but not yet provided their social security number, there tends to be a lot of letters sent (on the order of one a month) from the insurer, asking for the social, nominally to inform the IRS of your insurance, with the implied threat that if you don't provide the social, the IRS is going to eat your babies.

In other words: health care providers really, really like your social. Typically, according to people in the billing industry whom I also happen to know, it so that when they screw up on their billing -- which they inevitably do -- they can send the bills to a collections agency easier, in order to damage your credit over their screwup, until you pay them for their inability to code a procedure "correctly" so the health insurance accepts the coding.

So they had the socials, probably for not very good reasons, and they used them as an identifier for notionally very good reasons of unique correlation, and then they lost the data because they were idiots who don't routinely protect HIPAA data to the level required to allow them use of it in the first place.

Re: Researchers!

[l0n3s0m3phr34k]

And yet on the IRS tax forms it's just a single question "Have you had health insurance", last year at least they didn't request any information to collaborate it...no policy numbers, corp, etc.

Re:Researchers!

[l0n3s0m3phr34k]

A good friend of mine does ITSEC at a major research hospital in Portland; they are actually quite intense on it all. They won't even deploy anything that uses lower than TLS 1.2, CISSP certification is required, etc.

Re: Researchers!

[tlambert]

And yet on the IRS tax forms it's just a single question "Have you had health insurance", last year at least they didn't request any information to collaborate it...no policy numbers, corp, etc.

I didn't say they were telling the truth, and I (I hope) implied the opposite: They just want you to voluntarily disclose your social. I'm well aware that it's a check box.

Re: Researchers!

[ShanghaiBill]

Researchers don't need SSN for patient. Just assign each patient a number and refer to them that way.

A better solution would be to get rid of the idiotic notion that SSNs can be both widely known and secret. Their use for authentication (rather than identification) should be banned. They should be considered public information.

Re: Researchers!

[l0n3s0m3phr34k]

I got it! I was also pointing out that the actual IRS doesn't collect that info either, so their multiple request letters are completely bogus. They just want the info to sell it off to advertisers since it's worth more $$ with the SSN. Your comment makes me actually want to purposely not put my SSN on my insurance if I'm forced to use the exchange, just to tell them off when they try to "trick" me into giving it to them lol.

Re: Researchers!

They just want the info to sell it off to advertisers since it's worth more $$ with the SSN.

Which they can't do, because insurers have to maintain HIPAA compliance. And probably HITECH.

For any data loss

It needs to hurt a lot when things like this happen. Like $100000 per person. That will also remove the incentive for collecting a lot of data. Rip the head of the CEO of the company too.

Trade offs

[ebonum]

If you compile information into huge databases, this is what you can expect. Personally, I want all my medical records on paper charts stored in my doctor's office. Unless you agree to have your information published on the internet, don't accept electronic records. I assume that in this specific case the ssd's were lost. Even if they end up on eBay, the new owners will most likely clear the old data.

Re:Trade offs

Unless you agree to have your information published on the internet, don't accept electronic records.

Increasingly, you won't have a choice. Health care in the United States today is often provided through hospital corporations by facilities and doctors in their networks. The Affordable Care Act (aka "ObamaCare") contains among other things a mandate that those doctors, hospitals and providers paid by the government for seeing Medicare or Medicaid patients begin using electronic medical records (EMR) or else face cuts to their reimbursement rates. Even if your doctor keeps paper charts there will still be armies of back office workers hand keying the data into EMR systems. This will save money, if you believe Obama and his people. Many doctors already use iPads and other tablet devices in their work. You didn't think that they were just playing Angry Birds did you? In short, the health care providers aren't going to take a pay cut to keep records on paper when the government is mandating that they use EMR (Ever noticed how Dems love those mandates? Forcing people to do things against their will, now that's progress!). Medicare and Medicaid are such large programs that they will set the standard for other patient data too. That's why Obama mandated it. He and his people knew that by making EMR mandatory for Medicare and Medicaid, everybody else would get dragged along for the ride. BTW, if you voted for Obama this is partly your fault. Enjoy.

Re:Trade offs

Even if they end up on eBay, the new owners will most likely clear the old data.

Without even looking at it? I doubt that. Many old hard disks end up being dumped intact in African countries where they're sold in open air markets. There's no way those drives aren't going to be looked through for SSNs, names, dates of birth, addresses and the like that could be used for identity theft or sold on to others for that purpose.

Re:Trade offs

[tlambert]

You know that this would not have been a problem, had they had to store all the data on 5 1/4" floppy disks, right? The backup alarm on the semi truck would have been a dead giveaway...

Re:Trade offs

I prefer punch cards for this very reason.

Re:Trade offs

[Gonarat]

Naaah, paper tape is more secure.

Two words

[aglider]

Backup, encryption

Re:Two words

The sad thing is that every PC certified for Windows post 8 has a TPM and facilities for hardware encryption onboard. Enable BitLocker, and the OS platter is protected. From there, it is simple to BitLocker encrypt volumes, either externals, or others. Macs have FileVault2.

Even if the drives were on a NAS, my el cheapo Synology DS116j (single drive model, whose purpose in life is to be a rsync target for my other NAS for backups), offers eCryptFS encryption.)

External HDDs in general can be well protected even on a file level. EncFS MP can allow EncFS to work on OS X and Windows, brew can allow EncFS to work via command line on OS X, and it is just a yum or apt-get command away on most Linux distros.

HDD encryption is quite a solved problem. It is just pathetic to see "oops, we lost media" happening. Even with tapes, anything past LTO-3 has hardware level AES encryption, and it takes almost no time at all to go to the tape silo's web page, turn on encryption, set the passphrase to "correct horse battery stapler" (or a passphrase most people don't know), and call it done. This way, if a tape falls off the Iron Maiden truck, it isn't a front-page press catastrophe.

Doesn't hurt

Have you checked Hillary's server?

"While we don't believe...

we editors like to keep you in"

captcha: beginner

Re: This is why we need givernment-controlled.,

The AMA could help the people, but instead they only stand for those wealthy doctors.

It's Poland. Who cares.

We don't. We are the world.

Killing People

[Etherwalk]

If you compile information into huge databases, this is what you can expect. Personally, I want all my medical records on paper charts stored in my doctor's office. Unless you agree to have your information published on the internet, don't accept electronic records. I assume that in this specific case the ssd's were lost. Even if they end up on eBay, the new owners will most likely clear the old data.

That policy choice would kill a lot of people because it would prevent data mining to learn how to generate better health outcomes.

Trade offs.

Re:Killing People

[wings]

If you compile information into huge databases, this is what you can expect. Personally, I want all my medical records on paper charts stored in my doctor's office. Unless you agree to have your information published on the internet, don't accept electronic records. I assume that in this specific case the ssd's were lost. Even if they end up on eBay, the new owners will most likely clear the old data.

That policy choice would kill a lot of people because it would prevent data mining to learn how to generate better health outcomes. Trade offs.

Data mining to generate better health outcomes is good. Unfortunately there are other tradeoffs to consider. The large amount of personal data makes the database a target to be used for other purposes or even theft.

Then your data gets mined for less favorable purposes.

Re:Killing People

That policy choice would kill a lot of people because it would prevent data mining to learn how to generate better health outcomes.

It seems that the mining is usually done to generate better financial outcomes to the insurance providers. In that sense, the word mining is very appropriate. The public health aspect is severely lacking in these stories about data mining or electronic health records.

Not to Worry!

There are practically no real-world consequences for HIPAA violations like this.

Everybody will be fine. Except the patients. And who the fuck cares about those jerk-offs anyway?

driving without a seatbelt

[Ubi_NL]

I think shipping any sensitive data unencrypted should be a punishable offence even when the data is not stolen. Similar to driving around without your seatbelt. Its irresponsible behaviour that is easily prevented and comes from being lazy

Re:driving without a seatbelt

[penguin74]

It's very much so punishable. Health insurer Centene Corp can expect a fine of several million dollars. Just last year two companies settled for a total of $4.8 million and this just affected less than 7000 people. This company exposed 950,000 Source: I work in HIPAA compliance

Re:driving without a seatbelt

[l0n3s0m3phr34k]

If you work in HIPAA compliance, you might want to read over the actual document again. Encryption is not "Required", but only "Addressable". This is followed up by "reasonable and appropriate” for Addressable items, including documentation on why the Covered Entity didn't feel the Addressable was needed. This is from a governmental site, and the answer is "no". If this data was supposed to always stay in-house, then per 45 CFR 164.312(a)(2)(iv) and (e)(2)(ii) that fact alone is probably good enough for them to not get fined.

I'm in no way saying not having it encrypted is a good idea; this seems to be a case that their required risk assessment failed in the worst way. Or perhaps there never was any risk assessment done for this particular project; TFA and the Reuters article are both quite vague and information on what actually happened is pretty missing.

Re:driving without a seatbelt

If it's supposed to always stay in house, then why is it on a removable drives.

Re:driving without a seatbelt

[sumdumass]

To go from working cabinet to fireproof safe?

I have several disk arrays that are hot swappable which technically have removable drives. But I cannot seem to find the reference stating they were on removable drives. For all I know they could have been removed from a failed server and was waiting for a new one to arrive.

Re:driving without a seatbelt

[penguin74]

You pretty much answered yourself. I guarantee you they've never performed a risk assessment. I deal with these types of companies on a daily basis. There are so many healthcare companies and providers out there that don't even follow basic minimum security practices. The stuff that pops up in the news is nothing compared to some of the shit I see constantly. But hey, it keeps me in business, so what's there to complain about right?

At least they used encrypted HDDs..

[jppiiroinen]

..or did they. https://www.youtube.com/watch?...

Are the encrypted?

If they are encrypted no worries. If they are not encrypted the board should each be given jail time 5 year minimum

My guess

[l0n3s0m3phr34k]

Some IT guy took the drives home, wiped them, and is now using them in his home file server, or just straight-up sold them on Ebay. This happens all the time, I've seen it happen at every company I've worked for over the past 20 years. TFA has little actual information (and neither does the Reuters write up)...were they shipped some place? Were these in a server, laptops, desktops?

Re:It's Poland. Who cares.

[Buchenskjoll]

Never mind the data, what about the missing customers?

on 950,000 customers that went missing

Not a problem.

[clickclickdrone]

They're professionals. The drives will be encrypted, right? Right?

Re:Not a problem.

Absolutely! They were equipped with the latest in encryption technology, commonly referred to in the industry by the name of "SATA".

what the

[kilodelta]

Have they never heard of HIPPA? I worked for about 14 months doing exome sequencing for the Million Man thing at the VA - or at a contractor to the VA. All the external drives were encrypted with 16 digit pins. And after so many tries they'd lock up completely. So no brute forcing. The drives were made by Apricorn and carried FIPS 140.2 certifcations.

Re:what the

[compro01]

Have they never heard of HIPPA?

Probably. They probably also determined that the cost of the fine is less than the cost of compliance.

Re:what the

With HIPAA in particular, not likely. The fine is per patient.

Retaliation or file burning!

Hey, do You remember those HP printers hosting illegal files? I think some hospitals may hold some of that too. I best thos HDD have something. Also, I'm thinking this could be a retaliation for something that a cyber criminal organization had lost. Keep it sharp boys, I would start by injecting truth serum at each IT worker at that hospital.

Raise your hand if this surprises you...

[damn_registrars]

One of the for-profit health insurance companies who just raked in a huge windfall as a result of the largest government-to-corporate handout in the history of government were too drunk on their power to bother with data security.

Yep, absolutely nobody is surprised by this in the least. Turns out hookers and blow don't manage this stuff very well on their own.

Re:Raise your hand if this surprises you...

[ripvlan]

yeah I know. I'm aware of several policies that data on external drives must be encrypted. And data sent via common carrier must also be encrypted. And signed for - life cycle management - including erasure and limited access documentation.

Our data center guys (not even handling PHI - just IP) have to use these USB drives that contain push-button PIN passwords right on the device itself. Data can't even leave the room without this level of security.

It is easy these days. You just need to do it.

Re:Raise your hand if this surprises you...

[damn_registrars]

It is easy these days. You just need to do it.

Yeah, but it takes time. And time costs money. And the insurance companies are insured against this kind of stupidity by other insurance companies, so they just let the chips fall where they may ... and let the party keep rolling. It's not like there will be any consequences for the insurance company, as they now have a guaranteed customer base for the rest of their lives.

Re:Raise your hand if this surprises you...

[ripvlan]

oh right - I forgot about that angle. What is the exposure to fines vs cost of doing it right? Gosh wasn't that a /. topic a few weeks ago - can't sue if there aren't any actual damages from identity theft. Just pay for monitoring and all is right with the world.

The ol' bean counter clause.

hmm... remember those companies that were experimenting with publishing all salaries of employees for full (internal) view? What if all of our personal details were just out in the open? It would reduce the value of it. Banks would pay loss insurance - and find better ways to reduce loss - and the world would be a better place.

Kind of like the Rino hunt story.

Re:Raise your hand if this surprises you...

[damn_registrars]

What if all of our personal details were just out in the open? It would reduce the value of it.

Even further back there was a story here about someone who was intentionally putting all his most trivial information into very public websites. I don't recall all the details now, but it may have been something he was doing do counter the fact that he was being targeted for surveillance for no particularly good reason so he figured he could do exactly that - reduce the value of the data.

Being as the slashdot "search" function continues to be the least useful search function anywhere, I have no good way to find it here. Google does a pretty good job indexing this site but that is in spite of slashdot trying to prevent that from happening...

Sensitive Private Information??

[Bing+Tsher+E]

Why is a person's SSN and date of birth 'sensitive information.'

Now, I know that the Credit Industry wants to be able to use this information to obligate us to assume responsibility for any debt they might choose to inflict on us.

But how is it in our benefit for this to be Secret Information? The Social Security Administration was not intended to issue 'secret numbers' to people.

The Government should publish all SSNs and in effect disallow the Credit Agencies from using this information against us. It wouldn't even take the government to shut down this system. If 10% of the population decided that enough was enough and disclosed their SSNs with a statement 'this is not enough information to authorize credit disbursement' it would take down the system.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Get rid of them

[AndyKron]

Health insurer Centene Corp should be sued out of existence.

Re:Get rid of them

[frog_strat]

+1

Where's the rest of the sentence?

"While we don't believe this information has been used inappropriately," said Michael Neidorff, CEO of Centene.

And?

American idiots.

How i destroy data.

where i work, if the drive cannot be DBAN'd i take it apart, and destroy it with standard technician tools,

first the magnet (i like to see it suffer trying to read parts that i have swiped the magnet over).

then i start scratching the platters with a screwdriver,

then i will start poking all of the parts (heads, ramps, cabeling, etc).

if it's a glass disk (mobile drives usually are), I will bend them until they shatter, and then toss out all the little pieces.

If it's a regular disk (metal usually), After torturing it, i will pull the platters out and mangle them with a pair of pliers, bending them until they can't be bent any more.

Then i recycle all the metal parts (our recycle guy pays us for that).

We have to abide by HIPAA guidelines as well. Usually though the drives are fine, in which i just do a goverment wipe with DBAN (it takes forever, but it's the safest)

Re:How i destroy data.

[mitcheli]

Just a note, DBAN doesn't work on SSD's. But a hammer will make short work of them...

Out of Compliance with HIPAA and HITECH Acts

[h4ck7h3p14n37]

The HIPAA and HITECH Acts' Security Rule require hard drives containing personal health information (PHI) to be encrypted at rest.

Why weren't they?

Losing an encrypted drive is not a reportable incident. Losing one with 950,000 records in cleartext results in you getting your name up on the Wall of Shame at HHS' Office of Civil Rights (OCR) along with penalties of $100 to $50,000 _per_record_ up to a maximum of $1.5 million.

In this case, since Centene Corp. is guilty of "Willful Neglect", the penalty should be somewhere between $10,000 to $50,000 per record which puts them at the maximum penalty.

• http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
• http://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
• http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
• https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

And who will be held accountable?

Seriously, all of these breaches and "loss" of information result in no one going to jail. I also think that our Social Security numbers are far too imperative to our lives. Someone gets a hold of that information, along with some basic public knowledge and they can destroy our lives. The government needs to do something about the tying of SS # to credit, and healthcare. I'm getting tired of getting those letters in the mail saying someone else now has my personal information.

Oh wait... Obamacare mandates the tying of SS# and healthcare for tax reasons. Yeah, about that? There has to be a better way.

Re:Reverse it

Encryption, backup

Somebody call the Dollhouse

[rjejr]

Get Echo on the job, she'll find them in no time. Unless Alpha took them, then you're all screwed.

Re: This is why we need givernment-controlled.,

You misspelled bureaucrats

Lamest defense...evarr!

[poofmeisterp]

"While we don't believe this information has been used inappropriately," said Michael Neidorff, CEO of Centene.

That is the absolute lamest "don't worry" defense I've heard in a decade, hands-down.

So, what, you know an employee took it and wants hush money? No? Then how can you even claim data safety? OMFG.