Military Healthcare Data Stolen

An anonymous reader writes "TriWest, a federal contractor providing healthcare to the military, had computer hardware stolen from one of their offices. Social security numbers, credit card numbers, and healthcare information about 500,000 US military personnel and their families is contained on the stolen hardware. The AP picked up the story. The theft is also being covered by the Salt Lake Tribune and the Arizona Republic. This opens the door to speculation about who would be interested in the data held by a military contractor and what they will do with the information."

hmm...

[Transcendent]

This opens the door to speculation about who would be interested in the data held by a military contractor and what they will do with the information.

Well if the military keeps a record of imunizations of its soldiers, then any country wishing to use bio weapons upon the US could use their medical record to determine which viruses/bacteria/pathogens they are weakest against.

Big surprise?

[Sad Loser]

I work in healthcare
Healthcare sysadmins are often pretty poorly paid and are often people who would not make it in a business environment, and the security is often minimal. I know, I 'test' it.
I think we will have a few more of these disasters until the healthcare industry realises that IT is part of its core business and has to pay accordingly.

Security

[Anonymous Coward]

Well, hopefully the systems were using linux or a BSD, had difficult passwords, and encrypted the records......

Protection

[lamery]

Hopefully the data is encrypted? You'd think (and hope) that having a government contract would mean the company has some decent security. This much information can be abused in any number of ways, not just by terrorists. Perhaps this is an argument against having people's entire lives stored in a database.

National Strategy to secure....

[sickmtbnutcase]

maybe the US governement should secure their equipment a little better before they try to secure the internet.....

stiff penalties for careless companies

[g4dget]

Rather than spending money on tracking down and throwing a bunch of clueless hackers in jail, law enforcement should really focus on the criminals that are easy to identify and prosecute: companies that don't treat customer data with appropriate care. If a few high-profile cases resulted in hundreds of millions of dollars in fines, these cases would soon stop happening: companies would finally make the modest investments necessary to keep customer data secure.

talk about a HIPAA violation

[The Tyro]

forget about virtually protecting patient data with VPNs and encrytption... how about some physical security? They state that there was "reasonable security" for a company; hmmmm... obviously that hinges on your definition of reasonable.

Data like this is a gold mine if the thieves have any idea how to use it. I hope they are advising people to put fraud alerts on their credit reports... but there are things worse than identity theft. What might that information be worth to a foreign power, or terrorist organization?

Bad, very bad...

[TheSHAD0W]

"Yes, Lieutenant. I've already heard your name, rank, and serial number, over and over again. Now, I'd like to show you this photo... Steady! (Hold him, please.) Our sources looked up your next of kin in your medical records... This is a recent photo of your mother and father, hm? Our operatives are quite good at photography, we train them well.

"Now where were we? Oh yes. Now, Lieutenant, I'd like you to begin talking. And please remember, your parents' lives depend on what you say. Name, rank and serial number are not acceptable."

Re:Security

[bheerssen]

Nah, if the thieves were really after the information and not the hardware, they'd just mount the drives on a new computer. Access the files that way. This just proves that physical security is just as important as on-line security. Does you no good to secure a critical server against online attacks if you put the server in an insecure physical environment. The article implies that the building that contained these servers are standard office buildings. Simple locks on interior doors and many people with access to the building. Not exactly what I'd call secure.

Encryption is a good point, but what do you think the chances are any of the data is encrypted. Slim?

Re:Not sexy, but effective

[iomud]

That reminds me of the scene in wargames when the tour group enters through the obscenely thick door. Ironic to the point of insane.

Re:Who was the target?

[rmohr02]

I'm sure there's better people to steal a computer from than the military.

Re:Who is stupid enough...

[rodgerd]

Yeah. Like the way the Mad Anthrax Mailer suddenly went from a "must get" when it was thought to be a filthy foriegner to a "drop like hot potato" when it started looking like ties to senior millitary research labs.

Just proves the hackers axiom

[The Tyro]

if you haven't got physical security, you haven't got ANY security.

Bring on the TIA!

[Isao]

So this suggests that the U.S. Government's Total Information Awareness [darpa.mil] program would be a nice, juicy target. After all, everything's in one place...

Re:What ?!?!?

[Hex4def6]

Come one...
Who wouldn't want to know all that juicy data? Just think - blackmailing GI's who haven't got their latest TB shot...
learning the secrets to healthcare in the military.. .
The list goes on and on ;)

Re:Bad, very bad...

[prisoner-of-enigma]

To a prisoner of war, sitting chained to a chair in some interrogation chamber after just being repeatedly subjected to beatings, whippings, and electric shock torture and probably doped up on sodium pentothal, even the threat of action against their family by someone who has even a sliver of information about them would seem very real indeed.

Suppose the following scenario: you are kidnapped, taken to a small room and tortured, then someone asks you for classified information, or to betray your country, or to do something that every fiber in your being resists. Then that person proceeds to enumerate the names, ages, addresses, and medical conditions of your family members. Perhaps they include a bit of data on where they go out to eat, or where they work, of if there's an alarm system on their house. They don't have to say where they got the data, the very fact that they have it at all could lead you to believe that they have much, much more of it. Most military members have family somewhere that doesn't live on base (parents, siblings, etc.) Information is the most valuable tool an enemy can have.

Re:Yeeeeaaaaahhhhh....

[Daniel Dvorkin]

Good luck, A1C Tux. It's a hell of a military you've found yourself in -- yeah, yeah, I know, old soldiers bitch all the time (and I'm not that old; I was in from 1989 to 1997) but it really does seem like some things were going to hell right about the time I got out, and the whole Tricare thing is one of them. (My guess is that TriWest is a company formed specifically to handle Tricare contracts.) As a medic, I had to deal with all the harebrained ideas for patient administration that came down the pike, and I don't envy you. Sounds like it's just getting worse.

Business is not war, and war is not business, and outsourcing vital functions of our national security to private companies that don't give a shit about the welfare of people in uniform is not the way to keep our country safe. Actually, this is true of a whole bunch of governmental functions; the whole "run government like a business" bandwagon that Democrats and Republicans have jumped on with equal enthusiasm is a stupid idea. But that's a whole 'nother argument ...

RTFA

[dackroyd]

It's in the first line.

Thieves who broke into a government contractor's office snatched computer hard drives containing Social Security numbers, addresses and other records of about 500,000 members of the military and their families.

Only the harddrives were taken from the machines, so unless the thieves were desperate for more space to download mp3s onto, then it's quite probable that they were just after the data.

Bear with me a moment...

[StupidKatz]

Mugging victim: ... gah! Police officer! That man over there just punched me in the face and stole my wallet! Help!
Policeperson: Sorry, you should have treated that wallet with more care. In fact, here's ticket for a few hundred million dollars that will help motivate you to "take better care" of your wallet.

Just after the SSN?

[CamMac]

As a member of the military, I am ~really~ curious to know what they could do with that info.

Someone mentioned immunization records. But who cares if some 80 yr old retired Sgt Major had his TB recently? And untill you correlate Soldiers with Units, that info won't do you much good. If you wanted to know that, why not steal if from the Unit... it wouldn't be to much harder; and would provide /alot/ more info. Alot.

I personally think that they where after SSN's, and just happened to view a haul of 500k as too good to pass up. I don't believe that the fact it was military was of consequence. Which is why I also believe that it was American Civilians that did it, not some Foreign Agent. If so, I'm f*'ing pissed.

I don't need to say how well you can screw someone over with thier SSN; imagine the entire Military preoccupied with sorting out thier lifes; worried about a wife (or husband) and children having to deal with identity thieft while the soldier is busy overseas.

--Cam

Re:tricare is a POS

[madcow_ucsb]

No shit. I'm a dependent (dad's retired AF). Bastards make me drive over 1.5 hours to go to a CLINIC at Vandenberg AFB even though I can think of 3 or 4 full-service hospitals and countless (better) clinics witin 10-15 miles from me (in Santa Barbara, CA). I should call them again, maybe this time they'll actually let me have a local doctor.

Give me my mom's kaiser any day. They might make me drive the same distance but at least it'll be to a real hospital with doctors that know what they're doing....

Oh well. Guess I won't have to deal with them again come June when I get my degree...good riddance.

But if Tricare's security is anything like the rest of their organization I can only say I'm surprised that it took this long for this to happen...

Re:What ?!?!?

[videodriverguy]

If you read the article, it talks about a server installation - not very useful for playing online games (although some sys admins might correct me on that).

It was probably a RAID set of SCSI drives, which AFAIK aren't that easy to sell to your average stolen property fence.

That, and given the fact that this was not a random theft (planning etc.), leads me to think that the SSNs were the target. And that whoever was responsible knows how to extract the data.

500,000 SSNs must be worth a lot of money to some criminal(s) out there.

Re:hmm...

[Anonymous Coward]

Plus windows XP licensing conditions are incompatible with HIPAA. :-)

Re:RTFA

[mrfiddlehead]

Dunno about that ... I used to work in a University and the thieves often would steal only the harddisks, or ethernet nics (at the time the cards were a bit more costly). I suspect this is because a single person can walk out of a computer lab with upwards of 50 harddrives, but only one computer. Oh yeah, DIMMS were another popular option.

Why encrypted filesystems not used?

[Anonymous Coward]

Why wasn't an encrypted filesystem used on such sensitive data. Use password beginning of day, shut server when lights go out, use password next morning.

Hope the jury can understand something trivial as this if they get sued.

A de minimus level of security has to be taken by the company, including on the servers themselves, since the tools are so readily available, and even free.

NO EXCUSE

Expect more of these -- and a few clarifications

[SynCrypt]

We're likely to see many more of these types of scenarios as long as the government continues allowing (even encouraging) large-scale data gathering -- and as long as companies aren't held responsible for there mistakes.

Large databases with diverse pieces of personal information one database with inadequate protection are just too attractive a target -- 500,000 social security numbers? The amount of money identity thieves can make from the sale of those ssns, and the damage done to individuals, is staggering. But will there be any penalty beyond a slap on the wrist for insufficient security?

To clear up a few misconceptions that I've seen from the posts:

HIPAA is now worded in such a way that it allows health care providers (and other "covered entities") to share medical information about a patient without consent for a number of reasons. The result is that information in your file may be shared with others without you ever finding out. The best place I've found for information on HIPAA is at the Health Privacy Project [healthprivacy.org] . Go to their page and do a search on "HIPAA" and you will find out everything you ever wanted to know about HIPAA.

HIPAA makes it easier to circulate information once gathered, but it is not itself a storage system. For a huge storage system, go check out the Medical Information Bureau [mib.com] (MIB) web site. They have a FAQ [mib.com] about what they do, what medical information they store, and who they share it with. MIB exists to prevent fraud (a good thing), but I'd sure like to know what their security is like.

Finally, for another reason to repeal HIPAA and decentralize information, read about the "Emergency Health Powers Act" [healthprivacy.org]. Again, designed for good reasons, but could be applied in very heavy-handed ways. The Health Powers Act specifically shields companies from liability.