Military Healthcare Data Stolen 302
An anonymous reader writes "TriWest, a federal contractor providing healthcare to the military, had computer hardware stolen from one of their offices. Social security numbers, credit card numbers, and healthcare information about 500,000 US military personnel and their families is contained on the stolen hardware. The AP picked up the story. The theft is also being covered by the Salt Lake Tribune and the Arizona Republic. This opens the door to speculation about who would be interested in the data held by a military contractor and what they will do with the information."
hmm... (Score:5, Insightful)
Well if the military keeps a record of imunizations of its soldiers, then any country wishing to use bio weapons upon the US could use their medical record to determine which viruses/bacteria/pathogens they are weakest against.
Big surprise? (Score:5, Insightful)
Healthcare sysadmins are often pretty poorly paid and are often people who would not make it in a business environment, and the security is often minimal. I know, I 'test' it.
I think we will have a few more of these disasters until the healthcare industry realises that IT is part of its core business and has to pay accordingly.
Security (Score:1, Insightful)
Protection (Score:1, Insightful)
National Strategy to secure.... (Score:3, Insightful)
stiff penalties for careless companies (Score:4, Insightful)
talk about a HIPAA violation (Score:4, Insightful)
Data like this is a gold mine if the thieves have any idea how to use it. I hope they are advising people to put fraud alerts on their credit reports... but there are things worse than identity theft. What might that information be worth to a foreign power, or terrorist organization?
Bad, very bad... (Score:3, Insightful)
"Now where were we? Oh yes. Now, Lieutenant, I'd like you to begin talking. And please remember, your parents' lives depend on what you say. Name, rank and serial number are not acceptable."
Re:Security (Score:2, Insightful)
Encryption is a good point, but what do you think the chances are any of the data is encrypted. Slim?
Re:Not sexy, but effective (Score:3, Insightful)
Re:Who was the target? (Score:2, Insightful)
Re:Who is stupid enough... (Score:5, Insightful)
Just proves the hackers axiom (Score:5, Insightful)
if you haven't got physical security, you haven't got ANY security.
Bring on the TIA! (Score:5, Insightful)
Re:What ?!?!? (Score:2, Insightful)
Who wouldn't want to know all that juicy data? Just think - blackmailing GI's who haven't got their latest TB shot...
learning the secrets to healthcare in the military..
The list goes on and on
Re:Bad, very bad... (Score:4, Insightful)
Suppose the following scenario: you are kidnapped, taken to a small room and tortured, then someone asks you for classified information, or to betray your country, or to do something that every fiber in your being resists. Then that person proceeds to enumerate the names, ages, addresses, and medical conditions of your family members. Perhaps they include a bit of data on where they go out to eat, or where they work, of if there's an alarm system on their house. They don't have to say where they got the data, the very fact that they have it at all could lead you to believe that they have much, much more of it. Most military members have family somewhere that doesn't live on base (parents, siblings, etc.) Information is the most valuable tool an enemy can have.
Re:Yeeeeaaaaahhhhh.... (Score:3, Insightful)
Business is not war, and war is not business, and outsourcing vital functions of our national security to private companies that don't give a shit about the welfare of people in uniform is not the way to keep our country safe. Actually, this is true of a whole bunch of governmental functions; the whole "run government like a business" bandwagon that Democrats and Republicans have jumped on with equal enthusiasm is a stupid idea. But that's a whole 'nother argument
RTFA (Score:4, Insightful)
Thieves who broke into a government contractor's office snatched computer hard drives containing Social Security numbers, addresses and other records of about 500,000 members of the military and their families.
Only the harddrives were taken from the machines, so unless the thieves were desperate for more space to download mp3s onto, then it's quite probable that they were just after the data.
Bear with me a moment... (Score:2, Insightful)
Policeperson: Sorry, you should have treated that wallet with more care. In fact, here's ticket for a few hundred million dollars that will help motivate you to "take better care" of your wallet.
Just after the SSN? (Score:5, Insightful)
Someone mentioned immunization records. But who cares if some 80 yr old retired Sgt Major had his TB recently? And untill you correlate Soldiers with Units, that info won't do you much good. If you wanted to know that, why not steal if from the Unit... it wouldn't be to much harder; and would provide
I personally think that they where after SSN's, and just happened to view a haul of 500k as too good to pass up. I don't believe that the fact it was military was of consequence. Which is why I also believe that it was American Civilians that did it, not some Foreign Agent. If so, I'm f*'ing pissed.
I don't need to say how well you can screw someone over with thier SSN; imagine the entire Military preoccupied with sorting out thier lifes; worried about a wife (or husband) and children having to deal with identity thieft while the soldier is busy overseas.
--Cam
Re:tricare is a POS (Score:2, Insightful)
Give me my mom's kaiser any day. They might make me drive the same distance but at least it'll be to a real hospital with doctors that know what they're doing....
Oh well. Guess I won't have to deal with them again come June when I get my degree...good riddance.
But if Tricare's security is anything like the rest of their organization I can only say I'm surprised that it took this long for this to happen...
Re:What ?!?!? (Score:2, Insightful)
It was probably a RAID set of SCSI drives, which AFAIK aren't that easy to sell to your average stolen property fence.
That, and given the fact that this was not a random theft (planning etc.), leads me to think that the SSNs were the target. And that whoever was responsible knows how to extract the data.
500,000 SSNs must be worth a lot of money to some criminal(s) out there.
Re:hmm... (Score:1, Insightful)
Re:RTFA (Score:2, Insightful)
Why encrypted filesystems not used? (Score:1, Insightful)
Why wasn't an encrypted filesystem used on such sensitive data. Use password beginning of day, shut server when lights go out, use password next morning.
Hope the jury can understand something trivial as this if they get sued.
A de minimus level of security has to be taken by the company, including on the servers themselves, since the tools are so readily available, and even free.
NO EXCUSE
Expect more of these -- and a few clarifications (Score:3, Insightful)
Large databases with diverse pieces of personal information one database with inadequate protection are just too attractive a target -- 500,000 social security numbers? The amount of money identity thieves can make from the sale of those ssns, and the damage done to individuals, is staggering. But will there be any penalty beyond a slap on the wrist for insufficient security?
To clear up a few misconceptions that I've seen from the posts:
HIPAA is now worded in such a way that it allows health care providers (and other "covered entities") to share medical information about a patient without consent for a number of reasons. The result is that information in your file may be shared with others without you ever finding out. The best place I've found for information on HIPAA is at the Health Privacy Project [healthprivacy.org] . Go to their page and do a search on "HIPAA" and you will find out everything you ever wanted to know about HIPAA.
HIPAA makes it easier to circulate information once gathered, but it is not itself a storage system. For a huge storage system, go check out the Medical Information Bureau [mib.com] (MIB) web site. They have a FAQ [mib.com] about what they do, what medical information they store, and who they share it with. MIB exists to prevent fraud (a good thing), but I'd sure like to know what their security is like.
Finally, for another reason to repeal HIPAA and decentralize information, read about the "Emergency Health Powers Act" [healthprivacy.org]. Again, designed for good reasons, but could be applied in very heavy-handed ways. The Health Powers Act specifically shields companies from liability.