Forgot your password?
typodupeerror
Security

Military Healthcare Data Stolen 302

Posted by michael
from the sick-call dept.
An anonymous reader writes "TriWest, a federal contractor providing healthcare to the military, had computer hardware stolen from one of their offices. Social security numbers, credit card numbers, and healthcare information about 500,000 US military personnel and their families is contained on the stolen hardware. The AP picked up the story. The theft is also being covered by the Salt Lake Tribune and the Arizona Republic. This opens the door to speculation about who would be interested in the data held by a military contractor and what they will do with the information."
This discussion has been archived. No new comments can be posted.

Military Healthcare Data Stolen

Comments Filter:
  • hmm... (Score:5, Insightful)

    by Transcendent (204992) on Friday December 27, 2002 @11:51PM (#4970627)
    This opens the door to speculation about who would be interested in the data held by a military contractor and what they will do with the information.

    Well if the military keeps a record of imunizations of its soldiers, then any country wishing to use bio weapons upon the US could use their medical record to determine which viruses/bacteria/pathogens they are weakest against.
    • Way too hard. Just identify people who may have important expertise (senior staf, technical specialists, and the like), and start arranging for a string of accidents.
    • by Anonymous Coward
      One of my co-worker's husband recently
      had to prep all of his vital information "in
      the event of". This data probabaly contains
      all the info one could ever desire to carry
      out succesful ID theft:
      • *All* vital stats (in original form?) including
        for dependents?
      • Individuals that will be unable to detect
        the theft for an extended period
      • A SNAFU the size of Iraq to keep the
        authorities busy
      My solution:
      Dissolve the assets of the company
      as a lesson for protectors of our data, and
      make a slush fund to pay out when the
      attacks start.
    • Well if the military keeps a record of imunizations of its soldiers, then any country wishing to use bio weapons upon the US could use their medical record to determine which viruses/bacteria/pathogens they are weakest against.

      And I can sharpen my pencil and stab you in the eye -- instantly blinding you. But will I do it? Heck no.

      The US goverment loves to use words like "could", "possibly","should have", "probably", "might", "may" to sway public opinions to their favour by instilling fear.

      Yes, there were some crazy nut heads who did 9/11, but does not mean accusation without concrete evidence is justified.
    • So much for the efficiency of the Heimatsicherheitshauptamt [ttgnet.com], roughly, the "Homeland Security Main Office"

      I recommend German for all government titles of such offices.

      ;-)

      It has a certain satiric edge

  • by YahoKa (577942)
    To steal from somewhere the military has a huge interest. They'll probably spend the cashola on the investigation, and when they are caught someone is going to get it REALLY hard right up the ...
  • Big surprise? (Score:5, Insightful)

    by Sad Loser (625938) on Friday December 27, 2002 @11:52PM (#4970639)
    I work in healthcare
    Healthcare sysadmins are often pretty poorly paid and are often people who would not make it in a business environment, and the security is often minimal. I know, I 'test' it.
    I think we will have a few more of these disasters until the healthcare industry realises that IT is part of its core business and has to pay accordingly.
    • You've got to be kidding. A good sysadmin would stop someone from breaking in and stealing the box? You might want to read the article, or even the submission.
    • by The Tyro (247333) on Saturday December 28, 2002 @12:15AM (#4970717)

      if you haven't got physical security, you haven't got ANY security.
      • Although if the data had been encrypted, and the key kept elsewhere, the customers of the thieves (assuming industrial espionage or military spying was the motivation) would be _quite_ displeased once they plugged them in to see what they had...

        I know, keeping the key elsewhere could have been a total pita in this case, depending on how the data was used/how often the host system was restarted, if it needed to be able to restart itself from a failure with no admin/user intervention, etc. etc...but if you can encrypt the data, at least it is just hardware you lose when your physical security breaks down.
    • people who would not make it in a business environment,

      Sweet, I know where to apply for a job now! Awesome, thanks buddy! (and to think all those big companies laughed at my resume!!)

  • by John Paul Jones (151355) on Friday December 27, 2002 @11:53PM (#4970641)

    This makes me think of all the conference speeches I've given on security, watching folks yawn through the physical security sections.

    Firewall indeed.

    -JPJ

  • by bheerssen (534014) <bheerssen@gmail.com> on Friday December 27, 2002 @11:54PM (#4970644)
    The Defence Department learns that Windows are a problem in information security.

  • What ?!?!? (Score:5, Interesting)

    by Tin Weasil (246885) on Friday December 27, 2002 @11:54PM (#4970649) Homepage Journal
    What makes people so sure they were after the computer for that data? They probably stole it so they could play The Sims Online.
    • Re:What ?!?!? (Score:2, Insightful)

      by Hex4def6 (538820)
      Come one...
      Who wouldn't want to know all that juicy data? Just think - blackmailing GI's who haven't got their latest TB shot...
      learning the secrets to healthcare in the military.. .
      The list goes on and on ;)
      • by lgftsa (617184)
        Just think - blackmailing GI's who haven't got their latest TB shot...

        Yeah, I can just see Agents of a Foreign Power going round to their homes and threatening them with a rusty nail.

        "You for us work now, comrade, or poke you with this, we do!"
    • RTFA (Score:4, Insightful)

      by dackroyd (468778) on Saturday December 28, 2002 @01:06AM (#4970851) Homepage
      It's in the first line.

      Thieves who broke into a government contractor's office snatched computer hard drives containing Social Security numbers, addresses and other records of about 500,000 members of the military and their families.

      Only the harddrives were taken from the machines, so unless the thieves were desperate for more space to download mp3s onto, then it's quite probable that they were just after the data.

      • Re:RTFA (Score:5, Informative)

        by FTL (112112) <slashdot@nOspaM.neil.fraser.name> on Saturday December 28, 2002 @02:06AM (#4971008) Homepage
        > Only the harddrives were taken from the machines

        Keep in mind that when geeks like us talk about 'harddrives', that's not the same thing as what the general population refers to as 'harddrives'. Nearly every non-geek I've met thinks that the case is the hard drive.

        These thieves may have stolen the computers (leaving the bulky monitors), and the non-geek reporter wrote that they only took the harddrives.

        • Re:RTFA (Score:3, Informative)

          by danamania (540950)
          This is exactly what happened recently when a computer theft racket was exposed where young kids were sent to steal machines from schools here.

          Whoever reported it wrote that kids were paid up to $AUS500 for each "hard drive" stolen from schools - the reality is kids were allegedly paid this much for stealing brand new fileservers and laptops.

          a grrl & her server [danamania.com]
        • Re:RTFA (Score:3, Funny)

          by Ridge (37884)
          Uh no... Your non-geek translator must be malfunctioning. The case would be known as the "CPU". Thusly a non-geek "harddrive" would in fact be a 3.5" floppy, or alternatively, if they are a more advanced non-geek, it would be a ZIP disk. Of course the bulky monitors of which you speak could be translated to "the desktop" or, perhaps, "the window". Of course it's all moot, since they're going to fuck up their machine irregardless and you'll be getting a phone call at 2am after they try to insert their coffee into the "cup holder".
      • Re:RTFA (Score:2, Funny)

        by NeoMoose (626691)
        <i>Only the harddrives were taken from the machines, so unless the thieves were desperate for more space to download mp3s onto, then it's quite probable that they were just after the data.</i><br><br>

        Well shit, let's call up the RIAA and let them track the f***ers down.
    • Re:What ?!?!? (Score:2, Insightful)

      If you read the article, it talks about a server installation - not very useful for playing online games (although some sys admins might correct me on that).

      It was probably a RAID set of SCSI drives, which AFAIK aren't that easy to sell to your average stolen property fence.

      That, and given the fact that this was not a random theft (planning etc.), leads me to think that the SSNs were the target. And that whoever was responsible knows how to extract the data.

      500,000 SSNs must be worth a lot of money to some criminal(s) out there.
  • by sickmtbnutcase (608308) on Friday December 27, 2002 @11:55PM (#4970651)
    maybe the US governement should secure their equipment a little better before they try to secure the internet.....

  • by g4dget (579145) on Saturday December 28, 2002 @12:00AM (#4970670)
    Rather than spending money on tracking down and throwing a bunch of clueless hackers in jail, law enforcement should really focus on the criminals that are easy to identify and prosecute: companies that don't treat customer data with appropriate care. If a few high-profile cases resulted in hundreds of millions of dollars in fines, these cases would soon stop happening: companies would finally make the modest investments necessary to keep customer data secure.
    • Mugging victim: ... gah! Police officer! That man over there just punched me in the face and stole my wallet! Help!
      Policeperson: Sorry, you should have treated that wallet with more care. In fact, here's ticket for a few hundred million dollars that will help motivate you to "take better care" of your wallet.
      • Although I agree with you, this is a more accurate version:

        Old woman hires person because she knows she can't protect her wallet. Person charges old woman money for it. Person gets robbed, doesn't put up a fight... says "fuck it, I'm not getting in a fight over someone else's friggin wallet"...

        Old woman scratches her head.

        The other edge of the sword though is this:

        Old woman... [same as above yadi yada]... Says to Person, you know, I'm paying you an awful lot to just walk next to me holding my purse. So I'll pay you just to walk and hold my purse... $<minimum wage>/hr (because, as chris rock says: "I'd pay you less, but it just ain't legal"). Person gets mugged, and thinks, "Fuck! I'm just getting paid to walk... not fight".

      • by g4dget (579145)
        Your analogy is wrong. Among other things, your analogy doesn't take into account that there are three parties involved: the victim, the thief, and the party to which the valuable property was entrusted. A better analogy would be...

        Traveler to airline: Where is my luggage?

        Airline: We don't know. We left it on the sidewalk last night, and today it's gone. Sorry, it's not our problem. File a complaint with the police, maybe they can find it.

        You see, your private information is valuable. If it falls into the wrong hands, you may lose your life savings. Companies that you entrust with it have a duty to treat it with care.

        Furthermore, the tax payer shouldn't be responsible for tracking down losses that are enabled by the complete carelessness of poorly run businesses.

        It's a well-established legal principle that if you entrust somebody with something valuable, in many cases, they are legally responsible if it's lost or stolen if they didn't take proper care of it. In fact, airlines are liable for loss of your luggage even if they did take proper care of it.

        Since personal information is often much more valuable than luggage and since losses are hard to quantify (e.g., suffering from identity theft, etc.), penalties should be stiff.

        If a company takes reasonable care to secure their computer systems physically and against break-ins, then they shouldn't be penalized for negligence when data is stolen (although they may still be liable). But this case, like most others, smacks of complete negligence on the part of the company.

      • Except that only affected you. Your money. Your wallet. Your identity, by chance. And chances are there's a lot more information in these files than what's in your wallet.

        That's right. That bastard mugger affected your wallet, not the wallets of 500,000 other people.

        Get real. People and corporations need to be held accountable for their actions - otherwise why would something like HIPAA exist in the first place? Yes, the people who stole it are deplorable and need to be punished - but the people who allowed it to be stolen so carelessly hold accountability, too.
    • I know this corporations are evil/hackers are good thing is popular on slashdot, but you don't make any sense. See, in the real world, we are governed by laws. There is no law that states: "You must treat customer data with appropriate care." Punishment is the result of a specific law being broken, not some romantic H4X0R ideal. Having third-rate security, while deplorable, isn't illegal anywhere as far as I know.

      But the clueless (and as you seemed to have implied, "harmless") hackers have broken a law or two. They absolutely deserve whatever criminal proceedings are forthcoming. The business deserves, simply, to lose its government contract. Why you want to complicate this matter and rewrite corporate law is beyond me.

      Your sensationalism would imply things like this are routine, when in fact, the rarity of these events is due to the two after-effects I've mentioned above.
      • by g4dget (579145) on Saturday December 28, 2002 @01:52AM (#4970972)
        See, in the real world, we are governed by laws. There is no law that states: "You must treat customer data with appropriate care."

        Sure, there is. In many situations, where you entrust companies or individuals with valuable or private information, they have a responsibility to take reasonable care to keep it private. It's just that there aren't particularly stiff penalties right now. And that has resulted in an unacceptable carelessness by companies when dealing with customer information.

        The business deserves, simply, to lose its government contract. Why you want to complicate this matter and rewrite corporate law is beyond me.

        We have notions of "fiduciary duty" and "criminal negligence" for physical property. It makes sense to apply them to what companies do with personal information.

      • >There is no law that states: "You must treat
        >customer data with appropriate care." Punishment
        >is the result of a specific law being broken,
        >not some romantic H4X0R ideal.

        Medical records, in particular, DO have laws respecting their confidentiality.

        What's more, there is hopefully, specific language in the contract (this is a defense contractor we're talking about here!) that would be intended to ensure security.

        The result of this will probably be to make it even harder for a regular geek to get work in healthcare companies which deal with military accounts... which were most of my lukewarm prospects.

    • Rather than spending money on tracking down and throwing a bunch of clueless hackers in jail

      It's the "rather than" that blows me away. It's not just that we have no way of knowing who was behind the crime, clueless or not, but that you somehow think there aren't the resources to go after everyone responsible.

      Absent some sort of immunity, the contractor is civilly liable for consequential losses to both the government and the individuals. They appear quite aware of this judging from their remedial steps, and they have plenty on the line without the government butting in with "penalties." At worst the company was negligent -- and we don't know that, either. There is not a thing in the articles suggesting TriWest was at fault. As it now stands they may be a mere victim.

      By my count thus far you're comment is riding atop three shaky assumptions. You're lucky there's no fine for ill-considered speculation.
      • Before DoD will discolose information to contractors, they must meet certain security standards. If a few punks off the street can waltz off with the medical records of 500k+ service personnel and their families, TriWest has failed to maintain the security accreditation they were granted.

        Watch for TriWest to lose all their government business in the near future; they have shown themselves unable to meet the minimal standards required to secure personal information (let alone information dealing with national security!)
        • If a few punks off the street can waltz off with the medical records of 500k+ service personnel

          Punks? Where are you getting this stuff? They have no idea who the thieves were. It is this kind of prejudgment without facts that I was objecting to. I don't see the basis for your inference, not yet. My first question is why there wasn't encryption -- but then maybe there was.

          I just looked and found a little more detail [fra.org], which suggests laxity but not waltzing. It is still hard to say, and the pub may be biased towards military personnel. It is unclear what "apparently gained access to a property manager's office" entailed doing. Inside job?:
          The break-in occurred Dec. 14, when a thief or thieves stole every hard drive out of TriWest ``servers'' used to store enrollment and claims storage. TriWest for the past year has housed its servers in industrial park offices in northwest Phoenix. The thief apparently gained access to a property manager's office, stole a master electronic key and entered TriWest spaces with ease. The office was not protected by surveillance cameras. Electronic door records show the thief was confident enough about not getting caught to make two trips, in and out, of the secured area.
  • by Tomah4wk (553503) <tb100@dTEAoc.ic.ac.uk minus caffeine> on Saturday December 28, 2002 @12:00AM (#4970671) Homepage
    Most computer hardware is stolen to be sold on as computer hardware. These could be your standard issue thief who is only likely to sell on the hardware itself, without ever knowing he even has the data. Of course it could be someone who has an interest in the data, or someone who just wants to say a big F**** YOU at the guys in charge of these things. If this hardware isnt UV marked or otherwise, so it can be detected later, i would be very dissapointed. At my college we UV mark EVERY piece of hardware, and things like optical mice (i.e not the cheap ones no one wants to steal) are locked to the workstations, so you couldnt steal them without breaking them.
  • by The Tyro (247333) on Saturday December 28, 2002 @12:01AM (#4970677)
    forget about virtually protecting patient data with VPNs and encrytption... how about some physical security? They state that there was "reasonable security" for a company; hmmmm... obviously that hinges on your definition of reasonable.

    Data like this is a gold mine if the thieves have any idea how to use it. I hope they are advising people to put fraud alerts on their credit reports... but there are things worse than identity theft. What might that information be worth to a foreign power, or terrorist organization?
  • My question would be, did the thieves know that the computers contained military data, or were they just hijacking computers?
    It said that "hard drives" were stolen... what about the rest of the PC? If other electronic equipment was stolen, it could just be a simple theft.

    Regardless of the target, I have a feeling the military will be doing a detailed investigation. If it's just common crooks, they could find themselves in a whole lotta trouble after messing with the military.
    • by rmohr02 (208447)
      I'm sure there's better people to steal a computer from than the military.
    • I bet we'll never find out who stole it. They'll just be a pile of dust.
    • Yeah, when an AP story says the "hard drives" were stolen, I'm definitely not picturing a scenario in which thieves open the case, take out the drives, and then run. I bet they just took the whole computer, which to the AP writer probably means "monitor and hard drive." Speculation, but I'm betting they had no idea what they were taking.
      • That was my take on things too. I'm assuming they meant the information on the hard drives was lost, but the drive went with the PC. Unless of course the hard drives were rack-stored in a drive-bank - in which case individual drives could have been stolen (indicating that the thieves were after the data, not the hardware). Still, after dealing with tons of clients for computers who refer to the system (chassis/box, drives, etc) as a "hard drive", I'm guessing that you're right on that guess.

        It's pretty hard to make an educated guess/decision on something with such sparse details, hopefully we'll hear more from this a little later - and find out that "hard drives"="full PC's."
        Meanwhilst, I'll bet we have a bunch of thieves with brown stains in their pants after hearing the PC's they jacked contain military property...
  • Bad, very bad... (Score:3, Insightful)

    by TheSHAD0W (258774) on Saturday December 28, 2002 @12:02AM (#4970682) Homepage
    "Yes, Lieutenant. I've already heard your name, rank, and serial number, over and over again. Now, I'd like to show you this photo... Steady! (Hold him, please.) Our sources looked up your next of kin in your medical records... This is a recent photo of your mother and father, hm? Our operatives are quite good at photography, we train them well.

    "Now where were we? Oh yes. Now, Lieutenant, I'd like you to begin talking. And please remember, your parents' lives depend on what you say. Name, rank and serial number are not acceptable."
    • The scenario, or the fact that someone thought this was "funny?"
  • If the military will alert the persons whose data is on that machine to cancel their credit cards, put traces on any use of their SSN's (credit agencies will do this for a nominal fee), etc.
    In other news: Next week you'll be reading about Bill Gates harping on how this could be prevented if we all used .NET. The following week will be Larry Ellison's turn to rant and rave. Life is getting so predictable...
    • In other news: Next week you'll be reading about Bill Gates harping on how this could be prevented if we all used .NET. The following week will be Larry Ellison's turn to rant and rave. Life is getting so predictable...

      They'd harp over their "hardware protection" bull crap... Palladium...

      ...and then they'll even have the governments support. ::sigh::
  • Yeeeeaaaaahhhhh.... (Score:2, Informative)

    by AirmanTux (636967)
    I happen to be in the military, though just an Airman First Class, and due to the nature of my assignment I have to deal with contractors pretty often. Because of how the system works it seems like most of the time the military is getting hired by the contractors. More often than not we have to meet thier standards and I have yet to see an off base contractor that would meet DoD 'standards' for security. Furthermore, since all of our individual records are tracked by our social security numbers we don't really have much in the way of private information (there's "Privacy Act of 1974" stickers everywhere but that's pretty much a joke to begin with). I'm not sure why there'd be credit card information there and I've never heard of TriWest (Tricare is our health provider, typo maybe?) and judging on past experience I'd be surprised if the affected military are notified. Heck, I'd be surprised if they know which individuals it was. As for whether it was the hardware or software the theives were after, all I'm going to say is a lot happens right here in the Midwest that the general public is never aware of. There are active terrorist cells on US soil but for one reason or another there's not a lot we can do about them.
    • Good luck, A1C Tux. It's a hell of a military you've found yourself in -- yeah, yeah, I know, old soldiers bitch all the time (and I'm not that old; I was in from 1989 to 1997) but it really does seem like some things were going to hell right about the time I got out, and the whole Tricare thing is one of them. (My guess is that TriWest is a company formed specifically to handle Tricare contracts.) As a medic, I had to deal with all the harebrained ideas for patient administration that came down the pike, and I don't envy you. Sounds like it's just getting worse.

      Business is not war, and war is not business, and outsourcing vital functions of our national security to private companies that don't give a shit about the welfare of people in uniform is not the way to keep our country safe. Actually, this is true of a whole bunch of governmental functions; the whole "run government like a business" bandwagon that Democrats and Republicans have jumped on with equal enthusiasm is a stupid idea. But that's a whole 'nother argument ...
      • "run government like a business"

        The big difference to me appears to be the fact that any business venture has "failure" explicitly available as an option. (If the head of a business says "Failure is not an option", it's just words; it's still an option).

        "A government" might also have this luxury, but if it's stated so, it's not the US government.

        Run the government like a business, indeed. We can all see where that leads.

    • by The Tyro (247333) on Saturday December 28, 2002 @12:54AM (#4970815)
      Tricare is administered by regions. When you enroll in tricare, you are assigned to a region.

      Northeast, Mid-atlantic, Gulfsouth, etc.

      There is no TRICARE West region... but judging by the number of states mentioned in the article, I'd guess this contractor was dealing with the Central region (15 states), with the possible addition of california (1 state, obviously), or the Northwest region (2 states)

      Just FYI.
  • Is it any wonder? These contracts always go to the lowest bidder. I'd not be surprised to learn it was an "inside job", and that something nastier than identity theft or credit card fraud shall transpire. I hope I am wrong. I also remember how sloppy the military was (and still is I would presume) with my records.
  • Bring on the TIA! (Score:5, Insightful)

    by Isao (153092) on Saturday December 28, 2002 @12:30AM (#4970762)
    So this suggests that the U.S. Government's Total Information Awareness [darpa.mil] program would be a nice, juicy target. After all, everything's in one place...
    • You are right. Specially since the military wants everybody to have a "smart card" ID with a cheap chip inside that hold all of their information, medical, financial, work history, and you will need this ID to Log into a computer, granted you have a seven digit pin, ONLY NUMBERS! And again the military has outsourced this project. Look for more exciting time of information theft.
  • Some new sysadmin decided to show how forward thinking (can I say that on /.?) he was and decided to sneak linux in through the back door. Hmmmm, now where could he get a server that doesn't seem to be doing anything?? The server wasn't stolen, it's by his desk running samba!
  • by phr2 (545169)
    I don't see how a system with such crappy security could have been in compliance with HIPAA. Anyone understand that stuff well enough to say? It sounds like that company may be facing some penalties.
    • speaking as someone who works for a business associate, not a covered entity...On a given day, i may have on my computer, or a department server, sensitive patient information. for my company, a business associate--NOT a covered entity, the physical security is no more and no less than for any other PC.

      however, the primary point we've had drilled into us is that all data not being actively used must be encrypted or deleted. nothing just sitting around.

      so in that respects, if this computer was in an office that was locked up at night, the physical security isn't really a hipaa violation (as far as I know). the unsecure data is.

      On top of that, HIPAA isn't even fully enacted yet, so they don't have to worry about it to begin with. just because a law has been passed and people aer getting 'ready' and 'compliant' doesn't mean it is enforced yet.

      hope that clears some stuff up. i'd use more caps, but it's late and i'm tired =)
  • Imagine how much fear a terrorist group could install in US military personnel with that sort of date. Makes you think.

    -psy
    • Imagine how much fear a terrorist group could [instill] in US military personnel with that sort of [data]. Makes you think.

      Yes, it certainly does make me think. For about ten seconds. I was in the USAF myself, and I have a pretty good idea exactly how much fear there will be. Very little.

      The fact that TriWest is essentially an HMO for soldiers, sailors, and airmen doesn't really make them all that different in the broad strokes from any other HMO. If your health care data were stolen from your HMO, would you be afraid that some nefarious group of terrorists was planning to use it for some sort of bioweapon attack, or would you be more worried about the more pedestrian implications: identity theft and credit card abuse? That's what my father (who's still using Tricare's veterans' program) is concerned about.

      I doubt that you'll hear from a lot of servicemen quaking in their combat boots about this. Now, if the terrorists could interrupt the beer deliveries to every NCO club in the world...that's frightening.
  • I'm currently serving in the military. Our SSNs are tied to all of our records - financial, medical, everything.

    The number of credit card numbers that TriWest has is probably relatively small. I know they don't have mine. I think the only reason they would have to need credit card information is if a soldier had to pay for a medical procedure that isn't 100% covered (usually involving dependants/spouses).

    The biggest threat that this theft creates would likely be identity theft, although due to the aforementioned prevalent use of the SSN in nearly all military records, this might not even substanially raise the exposure service members already face. Google shows scores of web sites and articles regarding military identity theft.

    I guess that's what I get for serving my country. :-(
  • Did the DOD think to have these sensitive files encrypted? Don't most online stores encrypt their credit card databases now?

    I may not be the most paranoid person I know and I think it's a bit crazy to go to such lengths but if a file is that important why wouldn't you?

    Why not go the extra mile and use and encrypted file system as well? Wait, that's the paranoid side of my thinking again.

    I guess it takes a lot of high profile incidents like this to get folks to wise up about security on all levels.
  • tricare is a POS (Score:4, Interesting)

    by tf23 (27474) <tf23@lot[ ]ot.com ['tad' in gap]> on Saturday December 28, 2002 @01:05AM (#4970846) Homepage Journal
    If you have ever had to deal with Tricare, I feel your pain.

    It is *the* worst insurance system in the world.
    Call them twice - ask the same question - you will get a different answer 85% of the time. There are times, infact, where it's been better to *not* use them at all, and just pay outright.

    I feel for all you who are forced to use tricare, and are now possibly screwed somehow because your info was stolen. Keep your eye on your accounts and whatnot, I know we will be doing so more then ever.

    • by madcow_ucsb (222054)
      No shit. I'm a dependent (dad's retired AF). Bastards make me drive over 1.5 hours to go to a CLINIC at Vandenberg AFB even though I can think of 3 or 4 full-service hospitals and countless (better) clinics witin 10-15 miles from me (in Santa Barbara, CA). I should call them again, maybe this time they'll actually let me have a local doctor.

      Give me my mom's kaiser any day. They might make me drive the same distance but at least it'll be to a real hospital with doctors that know what they're doing....

      Oh well. Guess I won't have to deal with them again come June when I get my degree...good riddance.

      But if Tricare's security is anything like the rest of their organization I can only say I'm surprised that it took this long for this to happen...
  • Or... (Score:2, Funny)

    by VistaBoy (570995)
    One of the doctors needed to back up his hard drive for a reformatting at home and thought "Oh, if i swipe it for the weekend, nobody'll notice."
  • by CamMac (140401) <PvtCam@@@yahoo...com> on Saturday December 28, 2002 @01:36AM (#4970924)
    As a member of the military, I am ~really~ curious to know what they could do with that info.

    Someone mentioned immunization records. But who cares if some 80 yr old retired Sgt Major had his TB recently? And untill you correlate Soldiers with Units, that info won't do you much good. If you wanted to know that, why not steal if from the Unit... it wouldn't be to much harder; and would provide /alot/ more info. Alot.

    I personally think that they where after SSN's, and just happened to view a haul of 500k as too good to pass up. I don't believe that the fact it was military was of consequence. Which is why I also believe that it was American Civilians that did it, not some Foreign Agent. If so, I'm f*'ing pissed.

    I don't need to say how well you can screw someone over with thier SSN; imagine the entire Military preoccupied with sorting out thier lifes; worried about a wife (or husband) and children having to deal with identity thieft while the soldier is busy overseas.

    --Cam
  • by Tuffnut (618438)
    Attach GPS compatible tracking devices inside the computers.


  • Has anyone thought to check
    Kevin Mitnick's [slashdot.org] house for the stolen computer?
  • About 8 years ago when I was in the Navy, we were REQUIRED to submit a blood sample and cotton swab of the inside of my mouth. We weren't given a choice, we were told refusal would be grounds for discharge.

    We had a lot of questions about this such as; storage (where, how long), would they be destroyed after discharge, could it be used against us(in legal proceeding, for insurance purposes)?

    We weren't given the answers to those questions. Now I'm wondering where the hell that vial of blood and cotton swab is right now. How secure is it? How could a DNA sample labeled with my SSN be used against me?
  • So, now that there are moves to significantly increase the amount of information gathered, analyzed and stored on every citizen in the name of a war against terror, how are we supposed to feel confident that this information is not going to be stolen by some terrorist group or spammer and used against us?
  • This opens the door to speculation about who would be interested in the data held by a military contractor and what they will do with the information.
    Of course, there's another option --

    That the thieves had no idea what data was stored on the computer(s), and just wanted to sell the hardware.

    Needless to say, Triwest and the miltary have to plan for the worst, and have to assume that the data is actually going to be used for something, rather than just wiped when somebody fdisk's the computers and installs their OS of choice.

    Unless the theives knew what they were stealing and stole it for the data (which I imagine would be worth way way way more than the hardware it's installed on -- the military and Triwest certainly will consider it so) and so they destroy the hardware rather than trying to pawn it, they're *very* likely to get caught. The serial numbers are likely to be known, and the police will be looking for them very actively.

    And if they don't even bother to wipe the disk (quite common in stolen computers, apparantly), the buyer of the computer may find all this stuff on the computer, and may have heard of this story, and will call the police ...

    And if they do catch somebody, that guy is going to get hit with a lot more than just a simple burglary rap. He'll probably be lucky if they don't classify him as a terrorist (with all the civil rights violations that go along with that) ... even if he's just a simple (but stupid!) burglar ...

  • The data on all media, including hard drives, should be encrypted. When a computer boots up and needs access to that data, an unswappable process needs to get the passphrase/key so that the information can be made available at run time.

  • This recent incident again illustrates the dangers of putting all one's keys so to speak (ie. social security number, name, address, etc) all in one place.

    Though it could be worse...at least most "keys" government/industry have for individuals can be changed in instances of severe abuse of one's identity. But as biometrics come more into use, then the stakes become even greater...how does one revoke themselves?...Suicide perhaps?

    Anyways, hope folks who design and implement these security schemes dispense with this "let's put everything in one place" mentality and design and build systems that feature more distributed security...otherwise there will continue to more and larger incidences of identity theft, etc.
  • My bet is the machine was stolen so somebody could play Solitaire and download porn at home...

    Probably nothing sinister....
  • by bruthasj (175228) <bruthasj@yah[ ]com ['oo.' in gap]> on Saturday December 28, 2002 @06:16AM (#4971564) Homepage Journal
    It was one of the IT dudes' son playing UT 2003 and said, "Man this GForce card rocks! Lemme take it home and swap it with my Trident."

  • by SynCrypt (587990) on Saturday December 28, 2002 @09:17PM (#4973869)
    We're likely to see many more of these types of scenarios as long as the government continues allowing (even encouraging) large-scale data gathering -- and as long as companies aren't held responsible for there mistakes.

    Large databases with diverse pieces of personal information one database with inadequate protection are just too attractive a target -- 500,000 social security numbers? The amount of money identity thieves can make from the sale of those ssns, and the damage done to individuals, is staggering. But will there be any penalty beyond a slap on the wrist for insufficient security?

    To clear up a few misconceptions that I've seen from the posts:

    HIPAA is now worded in such a way that it allows health care providers (and other "covered entities") to share medical information about a patient without consent for a number of reasons. The result is that information in your file may be shared with others without you ever finding out. The best place I've found for information on HIPAA is at the Health Privacy Project [healthprivacy.org] . Go to their page and do a search on "HIPAA" and you will find out everything you ever wanted to know about HIPAA.

    HIPAA makes it easier to circulate information once gathered, but it is not itself a storage system. For a huge storage system, go check out the Medical Information Bureau [mib.com] (MIB) web site. They have a FAQ [mib.com] about what they do, what medical information they store, and who they share it with. MIB exists to prevent fraud (a good thing), but I'd sure like to know what their security is like.

    Finally, for another reason to repeal HIPAA and decentralize information, read about the "Emergency Health Powers Act" [healthprivacy.org]. Again, designed for good reasons, but could be applied in very heavy-handed ways. The Health Powers Act specifically shields companies from liability.

...when fits of creativity run strong, more than one programmer or writer has been known to abandon the desktop for the more spacious floor. - Fred Brooks, Jr.

Working...