US Healthcare Records Offered For Sale Online 88
An anonymous reader writes:Three U.S. healthcare organisations are reportedly being held to ransom by a hacker who stole data on hundreds of thousands of patients. The hacker has also put the 650,000 records up for sale on dark web markets where stolen data is traded. Prices for the different databases range from $100,000 to $411,000. Buyers have already been found for some of the stolen data, the hacker behind the theft told news site Motherboard. No information about the size of the ransom payment sought by the data thief has emerged, although he did say it was "a modest amount compared to the damage that will be caused to the organisations when I decide to publicly leak the victims."
Re: (Score:2)
Re: (Score:2)
Because it's usually not easy to find them, and once you do, you notice that they sit in a country that doesn't even pick up the phone when you call them to ask for them to be handed over.
Nobody outside the "west" gives a shit about data theft.
Re: (Score:2)
You don't do that with countries that have nukes.
Re: (Score:2)
You can always do it the old fashioned way.
Re: Why not find and execute the hacker? (Score:2)
Send them a strongly worded letter about how angry you are with them!
Re: (Score:2)
I think he meant kidnapping (see also the practice of 'extraditing' former Third Reich fugitives to Israel in the 1950's, 1960's, 1970's... not so much these days, mostly due to attrition).
Could be a new and improved use of Guantanamo Bay, truth be told.
Re: (Score:2)
Ask the content industry how well that worked out.
Re:Why not find and execute the hacker? (Score:5, Insightful)
I can recall several reasons — all of which I've encountered here on /. over the years and they've achieved acclaim and high moderations:
Re: (Score:1)
You forgot the best reason:
The "hacker" was an agent used to "leak" the documents, sell them to the pharma companies, and provide plausible deniability when people start complaining about all the junk mail they're getting.
Re: Why not find and execute the hacker? (Score:2)
There is a saying that only way to truly secure your server is to disconnect it from the network. However HIPAA requires EMR, so that's not an option.
So I have to ask, why are you calling for the victim to be executed and replaced with somebody who is known for less than ethical behavior?
This is similar to how Islamic countries give lashings to raped women for adultery and then let the rapist go scott free because it wasn't his fault that the woman's looks were tempting.
Re: (Score:2)
However HIPAA requires EMR, so that's not an option.
Curious as to why that can't be on its own network (or at least a network of VPNs...)
Re: Why not find and execute the hacker? (Score:2)
Because you inevitably have to be able to transfer those records to another health care provider (and/or the patient himself) when the patient either requests it or authorizes it, as per the law. Sure, you can keep it within a secure network, but there is basically no such thing as perfect security.
Remember, the employees are typically the weakest link. No CIO in the world (or anybody else for that matter) can 100% guarantee the security of any system that has more than one authorized user, no matter the ci
Re: (Score:2)
Woooosh... [troll.me]
Re: (Score:2)
Re: (Score:2, Insightful)
Can anyone give me one reason why the authorities shouldn't find the hacker and promptly execute him?
Yeah, didn't think so...
Short answer: Jurisdiction
But can anyone give me one reason why the authorities shouldn't find the person responsible for implementing these insecure systems and promptly put them in a pillory?
Re: (Score:3)
But can anyone give me one reason why the authorities shouldn't find the person responsible for implementing these insecure systems and promptly put them in a pillory?
Because he's a rich white CIO and has plenty of money and corporate power behind him to make sure he faces no consequences?
Oh, sorry, that might have been four reasons, not one.
Now, then, who's gonna do one damn thing about the system that perpetuates such circumstances? I'll be out back listening to the crickets.
Re: (Score:1)
Yeah, you can pretty much bet that outside of someone completely incompetent setting up their network security (which is always a possibility), it came down to "Secure implementation costs $X. Less secure implementation costs $LESS_THAN_X." and some exec or bean-counter said "Go with $LESS_THAN_X".
Re: (Score:2)
Under the GOP system there was already a risk pool of last resort.
Much less intrusive than trying to re-engineer the entire industry and less of a constitutional issue than forcing a consumer product on people.
Re: (Score:2)
Under socialistic systems, everyone gets the same crappy care. See VA hospitals for example.
Re: (Score:2)
Or look at the countries with better healthcare outcomes than the US, for much less money. I'll wait for you to complain about how large the US is, and I'll point out that healthcare scales very well - more people to serve = more taxpayers = money to pay for their care. Then I guess I'll wait for some nebulous argument about "diverse cultures" and how the countries which pay less for comparable or better care don't have such "problems" or some other nonsense, and point out that that argument has no bearin
Re: (Score:2)
FYI, they also measure outcomes differently in different countries, so that even if the statistics are correct, they are measuring entirely different datasets.
For instance, it is often touted that infant mortality rates are lower in certain countries. While that Statistic is accurate as a statement, the two countries are measuring it differently. In the US, Premature births of all types and kinds are included, where they are not in other countries. And if you include premature birth rates, the Actual statis
Re: (Score:2)
Got a citation for that? Because I have one that [stanford.edu] shows you are spouting more libertarian BS:
Re: (Score:3)
Can anyone give me one reason why the authorities shouldn't find the hacker and promptly execute him?
Yeah, didn't think so...
Our FBI can do that only if it can be shown that the hacker annoyed Hollywood in some way. To protect yourself in the future, see your doctor and ask if there isn't some way you can work a copyrighted song lyric into your medical file.
Where do I sign up? (Score:5, Interesting)
Where do I sign up?
The last time I requested my medical records from my doctor I was told that they could not provide many of them (especially the expensive MRI images), and of those they could provide they would charge a high fee for duplication. I was looking at paying somewhere between $50-100. I'm fairly certain they were doing this to prevent me from moving to another practice.
If this guy had my records I'd be happy to pay him $10 for them.
Re: (Score:1)
That's interesting. I had some CT's taken, I asked for the 'image data' (I work in the 'healthcare industry' & have specific knowledge of the format of this data. So besides even thinking of taking it elsewhere I was going to 'play with it' some day to make a 3D model of the area of my body they imaged just for 'shits & giggles'), I was given it on CD in 10 minutes.
You're mileage varies I guess.
Re: (Score:2)
I can echo the GP's experience. One doctor I went to wouldn't transfer any records of any kind to another doctor without being paid a fee, which I think was something like $75. Such practices seem self-defeating, to me, but I guess they're common enough.
Re: Where do I sign up? (Score:2)
I'm pretty sure that's illegal. Under HIPAA, you as a patient have the final say in who has access to your medical records, and I'm fairly certain that it's an ethics violation for your doctor to deny you the ability to get a second opinion. In fact, if you run into a doctor that hates second opinions then you should find a new one anyways, as every good doctor is willing to accept that sometimes they're wrong and even appreciates a second opinion, and their ultimate goal is your health, not their ego.
Re: (Score:2)
That's only true if they give the records to you, the patient. However you always have the right to have them transferred to another practitioner without charge.
Re: (Score:2)
Re: (Score:2)
A lot of doctors use HIPPA as an excuse to cash in.
Re: Where do I sign up? (Score:2)
What? As somebody with a chronic disease, I see lots of doctors and haven't had this once. If they do something like this then they're blatantly breaking the law, because HIPAA explicitly guarantees you the right to have access to your own records, in addition to you being allowed to control who else can or can't access them.
http://www.hhs.gov/hipaa/for-p... [hhs.gov]
Re: (Score:2)
A lot of doctors are quitting medicine, because the state has declared them to be indentured servants required to perform services for little or no pay.
Re: (Score:1)
Once upon a time (a decade ago), there was a medical study done at/near the local university for some sort of drug trial. Maybe you got the placebo, maybe you got the drug, right? Run on a treadmill or use an exercise bike for so many minutes, they run some tests, and take some scans (including brain scans). And they were going to pay some cash, plus you got a copy of the brain scans.
If I had met the qualifications (I was outside the age range they were looking for), I would have done it just for the brain
Re: (Score:2)
Well, if they have the data available immediately, then making a copy for you is basically free because it's right there.
The problems ar
Re: (Score:2)
They charge because the law says they are allowed to, the cost per page varies from state to state. Seems ridiculous and frankly unprofessional as those records may have information that could save your life or prevent your early death.
Re: (Score:2)
Just don't ask about the photocopier [youtube.com].
Re: (Score:2)
Sure you can fix that by suing the Bastard in the Court that charges $5.00 a page for copying their court transcripts; we charge $15.00 for records copy from our dental office, the Hospital charged me $150.00 when they managed my MD's office.
Re: (Score:2)
This is an area that's kind of in flux - as practices have moved to EMRs, many of them have only scanned in key items from records - the rest is still in a manila folder either on a shelf in the office or if you have
Inefficient fragmentation! (Score:1)
Can't wait for there being a single-payer system [cnbc.com]. The job of hackers world-wide will be much easier as they wouldn't need to waste efforts coming up with different ingenious ways of hacking different organizations.
Re: (Score:2, Insightful)
Re: (Score:2)
It's not about the insurers, it's about many of us not wanting to be forced into a system bigger and more corrupt than the VA. If you get screwed over by single payer, you have zero recourse. So then what, we have to have private insurance along with our single payer? I'd rather just have the private insurance and be done with it.
Deserving healthcare (Score:1)
You only deserve, what you paid for. Whether you have a job or not is irrelevant.
You don't deserve free emergency room treatment either.
Re: (Score:2)
You're an idiot. We won't get the NHS. We will get more of what we already have in terms of Medicaid and Medicare. You lot are simply too cheap.
The NHS would collapse based on what Americans of both parties are willing to spend on public healthcare.
Re: (Score:1)
Hey, if it leads to single payer, let's grease that slope and tilt it up to 90 degrees. The records are being made public anyway. We may as well get some service for it.
Re: (Score:2)
PS: anybody know why my arm keeps going numb?
Yes, and keep it down - your mom is trying to sleep.
Re: (Score:2)
since i have never received any healthcare (and according to my HC plan, never will), i have no health care records.
PS: anybody know why my arm keeps going numb?
If it gets bad enough just cut it off. Luckily since it's numb you won't even need to worry about anesthetic!
The information (Score:1)
My medical records have my d.o.b, SSN, name, address, and everything needed to use my ID to get credit, file taxes, and get a host of legal docs and IDs.
Re: (Score:2)
Sounds more like a problem with people trusting a bunch of numbers to describe you.
IF we put the liability on people accepting falsified information, rather than the person being cloned, the problems would disappear.
Re: (Score:3)
Say that after someone uses your name and SSN to open a property loan under your name (and default on it, naturally).
Re: (Score:2)
Identification (Numbers etc) isn't secret. That's what makes them useful. It is also way too easy to prove you're someone you're not, simply by providing enough (one??) piece of identifying information. Two Factor Authentication should be more or less standard operations now. But it is inconvenient.
Curiosity Question (Score:3)
Re: (Score:2)
If this hack was made on systems which were accessible from the Internet, why the frack were they accessible from the Internet in the first place??
Bwahahaha, How the fuck do you think we submit claims to your insurance company for reimbursement? Sure some stuff goes out over some vendor's private protocol over the internet, but most goes through the insurer's website. I can go to Delta's, log on and if your a Delta subscriber, find you and down load all of your Explanations of Benefits for the last 5 years as PDF; the judges love when we are suing for non-payment.
Most Healthcare workers are functionally computer illiterate, an encrypted zip will send
See your own health record while you. An (Score:3)
Since HIPAA allows virtually everyone other than yourself to access your medical records, you might want to go to this site and buy access to your own records while the opportunity exists.