Military Healthcare Data Stolen 302
An anonymous reader writes "TriWest, a federal contractor providing healthcare to the military, had computer hardware stolen from one of their offices. Social security numbers, credit card numbers, and healthcare information about 500,000 US military personnel and their families is contained on the stolen hardware. The AP picked up the story. The theft is also being covered by the Salt Lake Tribune and the Arizona Republic. This opens the door to speculation about who would be interested in the data held by a military contractor and what they will do with the information."
Who is stupid enough... (Score:2, Informative)
Yeeeeaaaaahhhhh.... (Score:2, Informative)
Re:Security (Score:2, Informative)
The real guts of story might be that this will be a poster child for what can go wrong with centralized health care databases. In the long run, this might be a good thing to have happened.
Re:Yeeeeaaaaahhhhh.... (Score:4, Informative)
Northeast, Mid-atlantic, Gulfsouth, etc.
There is no TRICARE West region... but judging by the number of states mentioned in the article, I'd guess this contractor was dealing with the Central region (15 states), with the possible addition of california (1 state, obviously), or the Northwest region (2 states)
Just FYI.
Re:How? (Score:2, Informative)
In the military everything is tied to your social security number. It's on all my paperwork from the enlistment contract to the piece of paper where I agreed not to have sex w/my recruiter. They put it on the ID cards. I had to use it whenever it went to sick call. It's spray painted on the outside of my duffle bag. It's even on a chain that I'm wearing around my neck right now (aka, my dog tags).
But even out in normal civilian life, the social security number is extreamly overused. I tried to test drive a car once and the dealer wouldn't let me because I wouldn't give them my SSN.
Re:Who is stupid enough... (Score:1, Informative)
Re:RTFA (Score:5, Informative)
Keep in mind that when geeks like us talk about 'harddrives', that's not the same thing as what the general population refers to as 'harddrives'. Nearly every non-geek I've met thinks that the case is the hard drive.
These thieves may have stolen the computers (leaving the bulky monitors), and the non-geek reporter wrote that they only took the harddrives.
Re:RTFA (Score:3, Informative)
Whoever reported it wrote that kids were paid up to $AUS500 for each "hard drive" stolen from schools - the reality is kids were allegedly paid this much for stealing brand new fileservers and laptops.
a grrl & her server [danamania.com]
Re:National Strategy to secure.... (Score:1, Informative)
Fast forward to TRI-CARE (ot Try-to-get-Care)...a system created to "save" Uncle Sam money. We contracted out the health care of families. In many case, our families are FORCED to go to a civilian health provider (not always a bad thing..but when forced, you have no choice, even if there are no doctors locally accepting new patients!). Yet, we now find that the contrator has POOR physical security, yet I am supposed to trust that their computer security is better!!!
Provide Some Context (Score:1, Informative)
Here are some things that might help reduce the FUD level in some of these commments.
- I do not work there.
- This information came from someone that works within the same system, but not the same contractor.
- Security in the building was likely to be that of a standard call center;
-- swipe cards to get in the building
-- receptionist at the desk watching those enter/leaving, maybe even a rent-a-cop there
-- swipe cards to get on the floors (if any)
-- swipe cards to get to the server room (where the theft probably occurred)
-- cleaning staff in at night, but probably not in the server room.
-- cameras in high-traffic areas
-- off-hours alarms, but shifts on saturdays and early evenings (when fewer people might be around)
- Windows Boxes (NT or 2000) for the call center staff
- Unix based database (using a dos-type shell to access), or possibly a windows front end for users.
- The usual under-educated, second income/ low income people working there. (Standard call center people, but those capable of learning the complex rules and procedures for medical insurance.) Not many of them would know what to do with a spare hard drive.
- Degrees among the staff members will be rare, even in management.
- The data involved contains at the very least; SSN, name, rank, address, medical history (sometimes 50 years of it), beneficiaries, local doctors, details of procedures, families names and addresses, copies of letters to and from the insurnace companies, copies of letters to and from the insured or their familes, call logs, internal process actions.
Obviously, it would be pretty easy to walk in behind someone to get to the building, but getting into the server room might be more of a challenge as there are fewer people with access to it. (IT staff only)
Also note, the company Triwest is up for contract renewal very soon. A theft of this type may tank their bid totally, so it is possible that the theft was designed to make them loose the contract for benefit of the other competing companies or by someone that has a gripe against the company.
In my opinion, how dangerous this is depends on if "hard drive" means the whole computer case, or if it means "SCSI 60 meg"; and if they were in a server at the time or not. Loose drives can get swiped for lots of reasons, though probably not related to the data on them. Whole server cases could get swiped for the hardware alone, where the the thief does not know how to get the data or care about what it is.
Though, if someone went to 4 servers out of 16, or took drives from opererating servers (wouldnt they notice right away if someone did that?) it is likely that the data itself was the target and one would expect all sorts of damaging stuff to happen by the release of this data.
Of course, now that there is publicity, the drives might get destroyed if the person just wanted the drives, or if they are a true criminal (not just an amature) they'll know the drives contain this data and the risk of it getting used goes up.
We would have prevented this (Score:1, Informative)