Slashdot Mirror

← Back to Stories (view on slashdot.org)

HealthCare.gov Portal Suffers Data Breach Exposing 75,000 Customers (gizmodo.com)

Posted by BeauHD on from the open-sesame dept.

An anonymous reader quotes a report from Gizmodo: Sensitive information belonging to roughly 75,000 individuals was exposed after a government healthcare sign-up system got hacked, the Centers for Medicare & Medicaid Services (CMS) said on Friday. The agency said that "anomalous system activity" was detected last week in the Direct Enrollment system, which Americans use to enroll in healthcare plans via the insurance exchange established under the Affordable Care Act -- also known as Obamacare. A breach was declared on Wednesday. It's unclear why the agency, which is part of the U.S. Department of Health and Human Services, chose to not announce the incident sooner. Officials said the hacked portal is used by insurance agents and brokers to help Americans sign up for coverage and that no other systems were involved. The affected system has been disabled. CMS said it hoped to restore it before the end of next week. "I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted," CMS Administrator Seema Verma said in a statement. "We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection."

33 of 70 comments (clear)

  1. Deja vu by OffTheLip · · Score: 3, Informative

    Seriously, I'd like to know who doesn't have my personal information at this point. Likely be a short list.

    1. Re:Deja vu by nospam007 · · Score: 1

      Sure, but in this case, it's " déja lu ".

    2. Re:Deja vu by antdude · · Score: 1

      Or no list! :(

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  2. Re:Goes without saying by Anonymous Coward · · Score: 1

    I must have missed the part where 'something fantastic' was proposed by the Republicans. When was that? Can you provide a link to the fantastic healthcare plan they proposed?

    Also, seems like the GOP has a majority in both houses of Congress. Why did the support of the Democrats matter at all? Thx.

  3. Re:Nothing exciting or? by nospam007 · · Score: 1

    "Presumably this is just the world we live in. There doesn't seem much info in the article,..."

    (Gasp) You read the article?
    Vade retro Satanas!

  4. Which is why each state has separate car companies by raymorris · · Score: 4, Insightful

    > Trading across state lines won't help, it becomes a race to the bottom

    Exactly. That's why each state has to have separate car companies, separate food companies, separate smartphone manufacturers - and separate insurance companies.

    If you let people in Oregon buy a phone made in California, or a truck made in Texas, or fruit grown in Florida, you know it'll be garbage.

    I say people should only be allowed to do business with companies in the same state, to avoid this race to the bottom. The fabulous success of this policy for health insurance demonstrates why we should do the same thing for all products and services.

  5. Re: Nothing exciting or? by jd · · Score: 1

    There's no reason for it to be the world we live in. We make it cheaper for companies to be failures than successes, but that's a choice and not every country makes the same choices.

    All we need are the well-regulated markets advocated by Adam Smith, where regulations protect personal information, mandate minimum standards of operation and require a warranty for fitness of purpose in software.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  6. Wish we could stop calling it Obamacare by archer,+the · · Score: 2

    That name was dreamt up to play on the fears of Republican voters, including the suggestion that it would have "death panels". A survey early last year showed 35% of respondents still didn't realize "Obamacare" was the same thing as the ACA. We need to make decisions rationally, not out of fear.

    For instance, you're more likely to be killed by pollution (200,000 early deaths per year) than an undocumented immigrant (750 per year). However, our administration wants to spend money building a wall to protect you from the "dangerous" Mexicans, but doesn't mention anything about how many people die from pollution when announcing cuts to emissions standards.

    (The 750 number is 456 arrests per year, plus an estimated correction factor due to cases not being solved.)

    1. Re: Wish we could stop calling it Obamacare by jd · · Score: 1

      It wasn't even devised by Obama, it was devised by Mitt Romney. Obama notably refused to offer suggestions and asked Congress to devise their own proposals. Romney's, with Republican amendments, was the one accepted.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    2. Re: Wish we could stop calling it Obamacare by jd · · Score: 2

      King John wanted a fiscal wall. Ruined his country trying. The barons stepped in and forced him to allow merchants, traders and other workers to cross the border freely except in times of war, and to never deprive a worker of the tools of their trade.

      Easy to improve countries to the south. Want a step by step guide?

      1) Don't finance or operate death squads there

      2) Hold businesses responsible for crimes overseas, as permitted by US law

      3) Don't overthrow elected governments

      4) Don't supply them with weapons

      5) Ensure the NRA is clear that gun running will not be tolerated

      6) Legalize all drugs but allow refusal of coverage or care (other than psych) for habitual users of anything addictive

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    3. Re:Wish we could stop calling it Obamacare by PopeRatzo · · Score: 1

      IRS: 1.2 Million Illegal Aliens Committed Identity Theft in FY 2017 [numbersusa.com]

      If you follow that link to its source at the right-wing CNS ("right news, right now"), you will find that the answers from the IRS about identity theft have nothing to do with immigrants or illegal aliens, and make no mention of them. You took a story about one thing and made it about something else to fit your purposes.

      You have to learn to use higher-quality fake news sites.

      --
      You are welcome on my lawn.
    4. Re: Wish we could stop calling it Obamacare by Anonymous Coward · · Score: 1

      To 6 - AFAIK, chemical addictions actually require medical treatments and medication. The kind of addiction where your body convulses vomits shits when you quit the drug. For other kinds of habitual addiction or whatever it’s called.. geez it’s still cheaper to treat anyone earlier than later.

    5. Re: Wish we could stop calling it Obamacare by cascadingstylesheet · · Score: 1

      I bet you do.

    6. Re: Wish we could stop calling it Obamacare by jd · · Score: 1

      That sort of treatment really aught to be done in psych facilities, the person needs to be monitored by people who understand pharmacology in relation to the brain and which effects are good versus really bad. That's the province of the pdoc.

      That treatment, yes, should be early and covered. And strictly done by people who know what they're doing.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    7. Re:Wish we could stop calling it Obamacare by archer,+the · · Score: 1

      And yet you're the one that added a statistic to one side only. Why not provide statistics of other problems caused by pollution? Because you don't care about taking a look at all of our problems (environment, health, crime, immigration, etc) objectively and then prioritizing. Your identity theft statistic also covers 6 years according to this. I think people would prefer Identity theft to dying early.

      That being said, I should have framed this slightly differently: cost to resolve the issues. If the US could spend $100 per death prevented by building the "wall", compared to say $150 per death prevented by reducing pollution, it would be better to build the wall first. However, making these determinations still requires objective analysis.

  7. Re: Which is why each state has separate car compa by jd · · Score: 1

    You do understand that whilst different cars have different performance characteristics making them suitable for different conditions, there's really only one treatment for a broken leg, one treatment for any given bacterial infection, one sort of x-ray, one design of ambulance.

    Not really a situation that applies to cars, toothbrushes or music.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  8. Re: Seriously?? by jd · · Score: 1

    The issue isn't a week. The issue is that there was a serious defect resulting in personally identifying information (PII) being exposed, showing inadequate testing, and that identification of the flaw took however many years the service has been online.

    This is mission-critical software in which failures could potentially cause tens of millions of dollars damage. There are certain Federal requirements for such software, including ISO 900x. It is also running via the Federal government, which imposes FIPS, the NSA secure server guidelines, Common Criteria, and those elements of the Rainbow Series dealing with data not obsoleted by later NIST standards.

    I know the sorts of contractors involved, I used to do contract work for the Federal government myself. I am not impressed. The maxim is that if builders built buildings the way programmers wrote programs, the first woodpecker th at came along would destroy civilization. In Federal circles, that's pretty accurate.

    Sure, they're doing better than Yahoo! or Sony. So did Genghis Khan. It's not a difficult standard to reach. Given the Federal government mandates better, should we not be using the mandated standard as the one to judge by?

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  9. Same in Dr's offices by rojash · · Score: 1

    The bastards expose all your info in open files in paper documents. How unsafe is that ? Imagine being a jan who knows to make use of this !!

    1. Re: Same in Dr's offices by jd · · Score: 1

      Ever tried to read a doctor's handwriting? There's no better cryptography. Nobody is allowed to stand near taking notes, anyway, and even if they did they'd be on CCTV.

      Thing with computers and data, a billion copies can be made as easily as one, by a million different people, all in different parts of the world, with absolutely nothing to stop them or identify them.

      Slight difference in accountability, access control and scale.

      So, aside from being utterly wrong in every respect... you're wrong. Nice to know computer literacy is so high. It's almost measurable.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    2. Re:Same in Dr's offices by Voyager529 · · Score: 1

      The bastards expose all your info in open files in paper documents. How unsafe is that ? Imagine being a jan who knows to make use of this !!

      You must not do much work in doctor's offices. A doctor's office still using paper records, a fax machine, and a locked filing cabinet is probably keeping your records safer than at least half of the doctor's offices which use computers. On my to-do list before the end of the year is to try and get a doctor to upgrade his computer systems from Windows XP and an ISP-distributed router. Yes, in 2018, I'm still doing that because everything has 'just worked' for years and years; to a certain degree I can't fault them. However, now, they basically have to start from scratch: new server, new release of their recordkeeping software, new workstations, new router...the whole project is probably going to cost some $10,000 by time they're done, it's not like they've been saving up the past five years to do it, and they basically have to do everything in one shot, meaning there will likely be a small business loan involved to do it.

      A dentist's office I work with has fairly modern stuff, but their passwords are trivial to guess and no screen timeouts, and they patently refuse to address either. Their firewall is a decade-old Linksys router and their guest Wi-Fi network isn't isolated in any meaningful sense. I literally yelled at the owner of the firm that no, I was not going to remove the passwords entirely and open up his workstation to use Remote Desktop over the public internet.

      Another doctor's office I worked with has been exploring a merger for some time, so they patently refused to spend a dime on anything that still even-a-little-bit worked. To be fair, the logic was sound: if the merger went through, the parent company would be replacing basically-everything anyway. If it didn't, they had one of those agreements where the company acquiring them would pay them a hefty sum, which they did earmark explicitly to revamp their IT. The buyer just kept dragging their feet, so their domain controller was still Server 2008 (the Vista one). They're using some sort of terminal emulator to log data into an out of something that looks AS/400-like, but I can't identify it beyond its IP address. Let's not talk about file and folder permissions......

      Trust me, if your doctor's office has fewer than three locations, they're probably very-not-HIPAA-compliant, to the point where I basically have more trust in the safety of doctor's offices still using paper files.

    3. Re:Same in Dr's offices by rojash · · Score: 1

      Sorry, so tl;dr; for this is ??

    4. Re: Same in Dr's offices by rojash · · Score: 1

      your effing Dr's prescription is not the same as their admin taking all your info and keeping it in paper files...where in the world are you from ?? Your Dr. takes your private info ?? Apples to Oranges Dude.

    5. Re:Same in Dr's offices by Voyager529 · · Score: 1

      For many doctor's offices with EMR systems, paper files in locked cabinets would probably be an improvement for security.

  10. Re: Which is why each state has separate car compa by raymorris · · Score: 1

    So what you're saying is that a vehicle that is optimum to drive up a snowy mountain in Colorado is different than one optimized for cruising Miami Beach, right? So to some extent, it kinda makes sense to have different cars for different states?

    On the other hand, the treatment for a broken leg in Colorado is exactly the same as the treatment for a broken leg in Florida, so prohibiting people in Colorado from choosing health insurance from a company in Florida is utterly ridiculous on its face?

  11. Re:Goes without saying by BradMajors · · Score: 1

    The Republicans almost voted to return health care to the states which would have been a fantastic solution. The reason why it didn't happen was because every single Democrat voted against it and 60 votes are required to get things done in the Senate.

  12. Anyone who has followed the history of this site by SlaveToTheGrind · · Score: 2

    should only be surprised that it took this long for this sort of steaming pile to be breached. Or in a way that left enough breadcrumbs for someone to notice, anyway.

  13. Don't Hesitate! by Cmdln+Daco · · Score: 1

    "I want to make clear to the public that HealthCare.gov and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted,"

    Translation: "Please continue to put your personal information in our shitwagon."

  14. Re:Which is why each state has separate car compan by dasunt · · Score: 2

    We already have health insurance companies selling across state lines. I can start a health insurance company in Alaska, and sell health insurance in Florida.

    The only caveat is that I have to comply to Florida law for the insurance policies I sell in that state.

    What Republicans want to do is make it so I can set up shop in Alaska and sell insurance policies to Florida that comply with Alaskan law. And this is where we have already seen a race to the bottom in another field: Credit cards.

    Until a few decades ago, most states capped interest rates. Along came the Supreme Court and said that for credit cards, the state law where the company is based applies, not the state law where the credit card holder is. This turned Sioux Falls into a major base of operation for credit card companies, since South Dakota, unlike most states at the time, did not have a limit on interest rates.

    I see no reason why health insurance shouldn't expect to see a similar race to the bottom if they no longer have to follow the state law where the policy holders are based.

  15. Oh by cascadingstylesheet · · Score: 2

    So, approximately all of them ...

  16. Re:Goes without saying by ShanghaiBill · · Score: 1

    That is a silly comparison. The real issue is how much of an entitlement people have to healthcare, and how much other people should pay to provide it.

    Democrats generally support broadening the entitlement, and perhaps making it universal, but are not clear who will pay, how generous the system will be, or how we can transition from the bloated and expensive system that we have now.

    Republicans generally support keeping Medicare (healthcare for old people), Medicaid (healthcare for poor people), and the VA (healthcare for veterans), but want to roll back the ACA, without any agreement on what will replace it.

  17. Re: Nothing exciting or? by jd · · Score: 1

    I... think several of my past jobs qualify as working in security. And nobody works to be OSI compliant, at least not in any of the projects I've worked on. I doubt most people know any relevant OSI standards.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  18. Re: Which is why each state has separate car compa by jd · · Score: 1

    I would agree with you, as far as you've gone, yes. There's nothing intrinsic about a Florida insurance company that means it can't handle a Colorado claim.

    This whole in-State/out-of-State thing is, as you rightly point out, a red herring, a most scarlet fish of our times. That's not where the issues lie and there should be no constraints there.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  19. What has gone undetected? by booboo · · Score: 1

    On initial release this system had an alarming number of security issues, but anyone publicly pointing them out (e.g. David Kennedy from TrustedSec) was generally marked as a conservative troll and not genuinely interested in the security of the system. I generated a shitload of 'anomalous activity' back in the day doing a little personal research and there was zero evidence of detection or responsive action. I'm sure security has improved over the years but I doubt this is the first incident.