Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Healthcare Records Offered For Sale Online

Posted by msmash on from the security-woes dept.

An anonymous reader writes:Three U.S. healthcare organisations are reportedly being held to ransom by a hacker who stole data on hundreds of thousands of patients. The hacker has also put the 650,000 records up for sale on dark web markets where stolen data is traded. Prices for the different databases range from $100,000 to $411,000. Buyers have already been found for some of the stolen data, the hacker behind the theft told news site Motherboard. No information about the size of the ransom payment sought by the data thief has emerged, although he did say it was "a modest amount compared to the damage that will be caused to the organisations when I decide to publicly leak the victims."

51 of 88 comments (clear)

  1. Re:Why not find and execute the hacker? by blueshift_1 · · Score: 1

    The government will probably just hire him or her.

  2. Where do I sign up? by Anonymous Coward · · Score: 5, Interesting

    Where do I sign up?

    The last time I requested my medical records from my doctor I was told that they could not provide many of them (especially the expensive MRI images), and of those they could provide they would charge a high fee for duplication. I was looking at paying somewhere between $50-100. I'm fairly certain they were doing this to prevent me from moving to another practice.

    If this guy had my records I'd be happy to pay him $10 for them.

    1. Re:Where do I sign up? by Anonymous Coward · · Score: 1

      That's interesting. I had some CT's taken, I asked for the 'image data' (I work in the 'healthcare industry' & have specific knowledge of the format of this data. So besides even thinking of taking it elsewhere I was going to 'play with it' some day to make a 3D model of the area of my body they imaged just for 'shits & giggles'), I was given it on CD in 10 minutes.

      You're mileage varies I guess.

    2. Re:Where do I sign up? by PCM2 · · Score: 1

      I can echo the GP's experience. One doctor I went to wouldn't transfer any records of any kind to another doctor without being paid a fee, which I think was something like $75. Such practices seem self-defeating, to me, but I guess they're common enough.

      --
      Breakfast served all day!
    3. Re:Where do I sign up? by NetNed · · Score: 1

      Yeah, not sure why that got modded up. Every MRI I have taken they give you a CD without even asking.

    4. Re:Where do I sign up? by jedidiah · · Score: 1

      A lot of doctors use HIPPA as an excuse to cash in.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    5. Re:Where do I sign up? by Kierthos · · Score: 1

      Once upon a time (a decade ago), there was a medical study done at/near the local university for some sort of drug trial. Maybe you got the placebo, maybe you got the drug, right? Run on a treadmill or use an exercise bike for so many minutes, they run some tests, and take some scans (including brain scans). And they were going to pay some cash, plus you got a copy of the brain scans.

      If I had met the qualifications (I was outside the age range they were looking for), I would have done it just for the brain scans.

      --
      Mr. Hu is not a ninja.
    6. Re:Where do I sign up? by Hussman32 · · Score: 1

      They charge because the law says they are allowed to, the cost per page varies from state to state. Seems ridiculous and frankly unprofessional as those records may have information that could save your life or prevent your early death.

      --
      "Who are you?" "No one of consequence." "I must know." "Get used to disappointment."
    7. Re: Where do I sign up? by ArmoredDragon · · Score: 1

      I'm pretty sure that's illegal. Under HIPAA, you as a patient have the final say in who has access to your medical records, and I'm fairly certain that it's an ethics violation for your doctor to deny you the ability to get a second opinion. In fact, if you run into a doctor that hates second opinions then you should find a new one anyways, as every good doctor is willing to accept that sometimes they're wrong and even appreciates a second opinion, and their ultimate goal is your health, not their ego.

    8. Re: Where do I sign up? by ArmoredDragon · · Score: 1

      What? As somebody with a chronic disease, I see lots of doctors and haven't had this once. If they do something like this then they're blatantly breaking the law, because HIPAA explicitly guarantees you the right to have access to your own records, in addition to you being allowed to control who else can or can't access them.

      http://www.hhs.gov/hipaa/for-p...

    9. Re:Where do I sign up? by cdrudge · · Score: 1

      Just don't ask about the photocopier.

    10. Re:Where do I sign up? by Fencepost · · Score: 1

      The cost for this is basically an administrative time charge, and is regulated by the states with a base cost, a cost per page, and I believe generally a maximum charge. You can find more information on the per-state charges here: http://www.lamblawoffice.com/medical-records-copying-charges.html

      This is an area that's kind of in flux - as practices have moved to EMRs, many of them have only scanned in key items from records - the rest is still in a manila folder either on a shelf in the office or if you haven't been seen in a while in a box at an offsite storage facility. What they're charging for when you request a full copy is to retrieve those records (whereever they may be), copy or scan them, and send that copy along to you. Depending on the chart, etc. that might well be an hour or two of staff time (occasionally more) so offices are allowed to charge but are regulated by state laws/regulations as to how much they charge.

      For practices that are fully electronic it may be simpler, but even then some EMRs don't provide a good way to dump the entire chart - you have to print/PDF all of the notes/records, then separately go in and print any attached or scanned documents one at a time.

      Finally, if you're moving to a new practice ask the staff at the new practice to request your chart from the old one - I could be wrong, but I don't practices charge each other the same way they charge patients both as a reciprocal thing and because frankly they're not set up for charging other practices.

      --
      fencepost
      just a little off
    11. Re:Where do I sign up? by budgenator · · Score: 1

      Sure you can fix that by suing the Bastard in the Court that charges $5.00 a page for copying their court transcripts; we charge $15.00 for records copy from our dental office, the Hospital charged me $150.00 when they managed my MD's office.

      --
      Apocalypse Cancelled, Sorry, No Ticket Refunds
    12. Re:Where do I sign up? by Archangel+Michael · · Score: 1

      A lot of doctors are quitting medicine, because the state has declared them to be indentured servants required to perform services for little or no pay.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    13. Re:Where do I sign up? by tlhIngan · · Score: 1

      That's interesting. I had some CT's taken, I asked for the 'image data' (I work in the 'healthcare industry' & have specific knowledge of the format of this data. So besides even thinking of taking it elsewhere I was going to 'play with it' some day to make a 3D model of the area of my body they imaged just for 'shits & giggles'), I was given it on CD in 10 minutes.

      Well, if they have the data available immediately, then making a copy for you is basically free because it's right there.

      The problems arise once the data hits your charts and gets archived. It's LESS accessible now because it's now part of your chart and since it can be fairly large, it gets put into cold storage almost instantly. And once it hits there, it takes time and effort to retrieve the data, and some cold storage providers charge to retrieve the data.

      Plus, this is for medical records, which are often scattered about - electronic, paper (those manila folders aren't going away - most practices haven't digitized those even if they use EMRs), paper stored in an offsite facility, etc.

      If you ask immediately while the data is still on the hard drive prior to archival (to your medical record) and deletion (off the local hard drive), the cost is practically zero

    14. Re: Where do I sign up? by ArmoredDragon · · Score: 1

      That's only true if they give the records to you, the patient. However you always have the right to have them transferred to another practitioner without charge.

  3. Re:Why not find and execute the hacker? by Opportunist · · Score: 1

    Because it's usually not easy to find them, and once you do, you notice that they sit in a country that doesn't even pick up the phone when you call them to ask for them to be handed over.

    Nobody outside the "west" gives a shit about data theft.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Re:Why not find and execute the hacker? by mi · · Score: 4, Insightful

    I can recall several reasons — all of which I've encountered here on /. over the years and they've achieved acclaim and high moderations:

    1. Information wants to be free!!
    2. The leak exposes security flaws in the organizations — and it is their CIOs, who should be executed instead. The hacker needs to be hired as the CIO of all three.
    3. The data exposes corruption and abuses at the organizations. The leaker may have broken the law, but Obama should pardon him.
    --
    In Soviet Washington the swamp drains you.
  5. Re:Inefficient fragmentation! by wbr1 · · Score: 1, Insightful

    Mi, you don't have to worry. Obama sold out to the HMOs and conservative and took single payer off the table first thing. That is why we have a confusing and expensive morass of shit to deal with for the ACA.

    --
    Silence is a state of mime.
  6. Re:Why not find and execute the hacker? by arth1 · · Score: 1, Insightful

    Can anyone give me one reason why the authorities shouldn't find the hacker and promptly execute him?

    Yeah, didn't think so...

    Short answer: Jurisdiction

    But can anyone give me one reason why the authorities shouldn't find the person responsible for implementing these insecure systems and promptly put them in a pillory?

  7. Re:As a Cigma customer i have no worries by bill_mcgonigle · · Score: 1

    PS: anybody know why my arm keeps going numb?

    Yes, and keep it down - your mom is trying to sleep.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  8. Re:Why not find and execute the hacker? by bill_mcgonigle · · Score: 2

    But can anyone give me one reason why the authorities shouldn't find the person responsible for implementing these insecure systems and promptly put them in a pillory?

    Because he's a rich white CIO and has plenty of money and corporate power behind him to make sure he faces no consequences?

    Oh, sorry, that might have been four reasons, not one.

    Now, then, who's gonna do one damn thing about the system that perpetuates such circumstances? I'll be out back listening to the crickets.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  9. Re:Why not find and execute the hacker? by Captain+Splendid · · Score: 1

    It's telling that most of the posts advocating violence in this thread come from ACs. What's wrong boys, afraid to stand behind you rhetoric?

    --
    Linux, you magnificent bastard, I read the fucking manual!
  10. Re:As a Cigma customer i have no worries by Nidi62 · · Score: 1

    since i have never received any healthcare (and according to my HC plan, never will), i have no health care records.

    PS: anybody know why my arm keeps going numb?

    If it gets bad enough just cut it off. Luckily since it's numb you won't even need to worry about anesthetic!

    --
    The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
  11. The information by Anonymous Coward · · Score: 1

    My medical records have my d.o.b, SSN, name, address, and everything needed to use my ID to get credit, file taxes, and get a host of legal docs and IDs.

    1. Re:The information by Archangel+Michael · · Score: 1

      Sounds more like a problem with people trusting a bunch of numbers to describe you.

      IF we put the liability on people accepting falsified information, rather than the person being cloned, the problems would disappear.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  12. Re:No one should care by PCM2 · · Score: 2

    Say that after someone uses your name and SSN to open a property loan under your name (and default on it, naturally).

    --
    Breakfast served all day!
  13. Re: Why not find and execute the hacker? by Opportunist · · Score: 1

    You don't do that with countries that have nukes.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  14. Curiosity Question by jasnw · · Score: 2

    If this hack was made on systems which were accessible from the Internet, why the frack were they accessible from the Internet in the first place?? If an organization is too cheap, or too lazy, or too inept, or all-of-the-above, to put in place the serious security protections needed for an Internet-facing server, then said organization should never put sensitive data on any of their Internet-facing servers. Even if the organization is on top of things security-wise, if there is no really REALLY good reason for said data to be on an Internet-facing server, do NOT put it on one. Network Security for Dummies.

    1. Re:Curiosity Question by budgenator · · Score: 1

      If this hack was made on systems which were accessible from the Internet, why the frack were they accessible from the Internet in the first place??

      Bwahahaha, How the fuck do you think we submit claims to your insurance company for reimbursement? Sure some stuff goes out over some vendor's private protocol over the internet, but most goes through the insurer's website. I can go to Delta's, log on and if your a Delta subscriber, find you and down load all of your Explanations of Benefits for the last 5 years as PDF; the judges love when we are suing for non-payment.

      Most Healthcare workers are functionally computer illiterate, an encrypted zip will send them into fits.

      --
      Apocalypse Cancelled, Sorry, No Ticket Refunds
  15. Re:Why not find and execute the hacker? by Opportunist · · Score: 1

    Ask the content industry how well that worked out.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  16. Re: Why not find and execute the hacker? by jedidiah · · Score: 1

    You can always do it the old fashioned way.

    --
    A Pirate and a Puritan look the same on a balance sheet.
  17. Re:Why not find and execute the hacker? by fustakrakich · · Score: 1

    You forgot the best reason:

    The "hacker" was an agent used to "leak" the documents, sell them to the pharma companies, and provide plausible deniability when people start complaining about all the junk mail they're getting.

    --
    “He’s not deformed, he’s just drunk!”
  18. Re:Under the GOP systems and blacklist is needed by jedidiah · · Score: 1

    Under the GOP system there was already a risk pool of last resort.

    Much less intrusive than trying to re-engineer the entire industry and less of a constitutional issue than forcing a consumer product on people.

    --
    A Pirate and a Puritan look the same on a balance sheet.
  19. Re:Inefficient fragmentation! by OhPlz · · Score: 1

    It's not about the insurers, it's about many of us not wanting to be forced into a system bigger and more corrupt than the VA. If you get screwed over by single payer, you have zero recourse. So then what, we have to have private insurance along with our single payer? I'd rather just have the private insurance and be done with it.

  20. Re:Inefficient fragmentation! by jedidiah · · Score: 1

    You're an idiot. We won't get the NHS. We will get more of what we already have in terms of Medicaid and Medicare. You lot are simply too cheap.

    The NHS would collapse based on what Americans of both parties are willing to spend on public healthcare.

    --
    A Pirate and a Puritan look the same on a balance sheet.
  21. Re:Inefficient fragmentation! by fustakrakich · · Score: 1

    Hey, if it leads to single payer, let's grease that slope and tilt it up to 90 degrees. The records are being made public anyway. We may as well get some service for it.

    --
    “He’s not deformed, he’s just drunk!”
  22. Re: Why not find and execute the hacker? by ArmoredDragon · · Score: 1

    Send them a strongly worded letter about how angry you are with them!

  23. See your own health record while you. An by Applehu+Akbar · · Score: 2

    Since HIPAA allows virtually everyone other than yourself to access your medical records, you might want to go to this site and buy access to your own records while the opportunity exists.

  24. Re:Why not find and execute the hacker? by Kierthos · · Score: 1

    Yeah, you can pretty much bet that outside of someone completely incompetent setting up their network security (which is always a possibility), it came down to "Secure implementation costs $X. Less secure implementation costs $LESS_THAN_X." and some exec or bean-counter said "Go with $LESS_THAN_X".

    --
    Mr. Hu is not a ninja.
  25. Re:Why not find and execute the hacker? by Applehu+Akbar · · Score: 2

    Can anyone give me one reason why the authorities shouldn't find the hacker and promptly execute him?

    Yeah, didn't think so...

    Our FBI can do that only if it can be shown that the hacker annoyed Hollywood in some way. To protect yourself in the future, see your doctor and ask if there isn't some way you can work a copyrighted song lyric into your medical file.

  26. Re: Why not find and execute the hacker? by ArmoredDragon · · Score: 1

    There is a saying that only way to truly secure your server is to disconnect it from the network. However HIPAA requires EMR, so that's not an option.

    So I have to ask, why are you calling for the victim to be executed and replaced with somebody who is known for less than ethical behavior?

    This is similar to how Islamic countries give lashings to raped women for adultery and then let the rapist go scott free because it wasn't his fault that the woman's looks were tempting.

  27. Re:Under the GOP systems and blacklist is needed by Archangel+Michael · · Score: 1

    Under socialistic systems, everyone gets the same crappy care. See VA hospitals for example.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  28. Re: Why not find and execute the hacker? by Penguinisto · · Score: 1

    I think he meant kidnapping (see also the practice of 'extraditing' former Third Reich fugitives to Israel in the 1950's, 1960's, 1970's... not so much these days, mostly due to attrition).

    Could be a new and improved use of Guantanamo Bay, truth be told.

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  29. Re: Why not find and execute the hacker? by Penguinisto · · Score: 1

    However HIPAA requires EMR, so that's not an option.

    Curious as to why that can't be on its own network (or at least a network of VPNs...)

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  30. Re: Why not find and execute the hacker? by mi · · Score: 1

    So I have to ask, why are you calling for the victim to be executed and replaced with somebody who is known for less than ethical behavior?

    Woooosh...

    --
    In Soviet Washington the swamp drains you.
  31. Re:No one should care by Archangel+Michael · · Score: 1

    Identification (Numbers etc) isn't secret. That's what makes them useful. It is also way too easy to prove you're someone you're not, simply by providing enough (one??) piece of identifying information. Two Factor Authentication should be more or less standard operations now. But it is inconvenient.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  32. Re: Why not find and execute the hacker? by ArmoredDragon · · Score: 1

    Because you inevitably have to be able to transfer those records to another health care provider (and/or the patient himself) when the patient either requests it or authorizes it, as per the law. Sure, you can keep it within a secure network, but there is basically no such thing as perfect security.

    Remember, the employees are typically the weakest link. No CIO in the world (or anybody else for that matter) can 100% guarantee the security of any system that has more than one authorized user, no matter the circumstances.

  33. Re:Under the GOP systems and blacklist is needed by dave420 · · Score: 1

    Or look at the countries with better healthcare outcomes than the US, for much less money. I'll wait for you to complain about how large the US is, and I'll point out that healthcare scales very well - more people to serve = more taxpayers = money to pay for their care. Then I guess I'll wait for some nebulous argument about "diverse cultures" and how the countries which pay less for comparable or better care don't have such "problems" or some other nonsense, and point out that that argument has no bearing on anything what-so-ever, it is just a convenient excuse used by people to forgive broken systems without having to admit failings of anyone.

    You are flogging a dead horse. No, wait, you are the dead horse.

  34. Re:Under the GOP systems and blacklist is needed by Archangel+Michael · · Score: 1

    FYI, they also measure outcomes differently in different countries, so that even if the statistics are correct, they are measuring entirely different datasets.

    For instance, it is often touted that infant mortality rates are lower in certain countries. While that Statistic is accurate as a statement, the two countries are measuring it differently. In the US, Premature births of all types and kinds are included, where they are not in other countries. And if you include premature birth rates, the Actual statistics flip.

    If people die of cancer waiting for treatment, and they aren't counted as "cancer patients" because they never were.

    Statistics are meaningless unless they are being used the exact same way across the board, and they are not.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  35. Re:Under the GOP systems and blacklist is needed by whoever57 · · Score: 1

    For instance, it is often touted that infant mortality rates are lower in certain countries. While that Statistic is accurate as a statement, the two countries are measuring it differently. In the US, Premature births of all types and kinds are included, where they are not in other countries. And if you include premature birth rates, the Actual statistics flip.

    Got a citation for that? Because I have one that shows you are spouting more libertarian BS:

    "The reporting differences are a minor part of the story but not an excuse for why the U.S has such a high mortality rate."

    --
    The real "Libtards" are the Libertarians!