Slashdot Mirror
Six Missing HDDs Contain Health Information of Nearly a Million Patients (corporate-ir.net)
Lucas123 writes: Health insurer Centene Corp. revealed that it is looking for six HDDs with information on 950,000 customers that went missing during a data project that was using laboratory results to improve the health outcomes of patients. The drives not only contain sensitive personal identification information, such as addresses, dates of birth and social security numbers, but they also contain health information. "While we don't believe this information has been used inappropriately," said Michael Neidorff, CEO of Centene.
"While I usually praise the high standard of editing," said readers of Slashdot everywhere.
Backup, encryption
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
If you compile information into huge databases, this is what you can expect. Personally, I want all my medical records on paper charts stored in my doctor's office. Unless you agree to have your information published on the internet, don't accept electronic records. I assume that in this specific case the ssd's were lost. Even if they end up on eBay, the new owners will most likely clear the old data.
That policy choice would kill a lot of people because it would prevent data mining to learn how to generate better health outcomes.
Trade offs.
Researchers don't need SSN for patient. Just assign each patient a number and refer to them that way.
The CS professional should have sanitized the data before releasing it.
In this case, the intent was to use the lab results to ensure improved patient outcomes. This means that the data had to be trackable back to the patients that provided it, and then the lab results were to be fed back into the treatment of said patients.
So this was technically not "human trials research", it was a bioinformatics business process to manage outcomes. As such, it's HIPAA protected, certainly -- but also, 100% personally identifiable.
For the people I know who have bought private insurance, or participated in one of the exchanges, but not yet provided their social security number, there tends to be a lot of letters sent (on the order of one a month) from the insurer, asking for the social, nominally to inform the IRS of your insurance, with the implied threat that if you don't provide the social, the IRS is going to eat your babies.
In other words: health care providers really, really like your social. Typically, according to people in the billing industry whom I also happen to know, it so that when they screw up on their billing -- which they inevitably do -- they can send the bills to a collections agency easier, in order to damage your credit over their screwup, until you pay them for their inability to code a procedure "correctly" so the health insurance accepts the coding.
So they had the socials, probably for not very good reasons, and they used them as an identifier for notionally very good reasons of unique correlation, and then they lost the data because they were idiots who don't routinely protect HIPAA data to the level required to allow them use of it in the first place.
You know that this would not have been a problem, had they had to store all the data on 5 1/4" floppy disks, right? The backup alarm on the semi truck would have been a dead giveaway...
Some IT guy took the drives home, wiped them, and is now using them in his home file server, or just straight-up sold them on Ebay. This happens all the time, I've seen it happen at every company I've worked for over the past 20 years. TFA has little actual information (and neither does the Reuters write up)...were they shipped some place? Were these in a server, laptops, desktops?
A good friend of mine does ITSEC at a major research hospital in Portland; they are actually quite intense on it all. They won't even deploy anything that uses lower than TLS 1.2, CISSP certification is required, etc.
One of the for-profit health insurance companies who just raked in a huge windfall as a result of the largest government-to-corporate handout in the history of government were too drunk on their power to bother with data security.
Yep, absolutely nobody is surprised by this in the least. Turns out hookers and blow don't manage this stuff very well on their own.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Why is a person's SSN and date of birth 'sensitive information.'
Now, I know that the Credit Industry wants to be able to use this information to obligate us to assume responsibility for any debt they might choose to inflict on us.
But how is it in our benefit for this to be Secret Information? The Social Security Administration was not intended to issue 'secret numbers' to people.
The Government should publish all SSNs and in effect disallow the Credit Agencies from using this information against us. It wouldn't even take the government to shut down this system. If 10% of the population decided that enough was enough and disclosed their SSNs with a statement 'this is not enough information to authorize credit disbursement' it would take down the system.
Comment removed based on user account deletion
Health insurer Centene Corp should be sued out of existence.
Researchers don't need SSN for patient. Just assign each patient a number and refer to them that way.
A better solution would be to get rid of the idiotic notion that SSNs can be both widely known and secret. Their use for authentication (rather than identification) should be banned. They should be considered public information.