Break-In Compromises 160k Medical Records At UC Berkeley

nandemoari writes "Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk. According to UC Berkeley, computer administrators determined on April 9, 2009 that electronic databases in University Health Services had been breached by overseas criminals. The breakins began in October 2008. Information contained on the breached databases included Social Security numbers, health insurance information, and non-treatment medical information such as records of immunization and names of treating physicians."

Duh..

[by Anonymous Coward]

If it's connected to internet, it's just matter of time.

Re:Duh..

[NoStarchPlox (1552983)]

UC Berkeley using a BSD? That's highly illogical!

Re:Duh..

[cayenne8 (626475)]

This is a reason why they have to pretty much pull teeth from me, in order for me to give my SSN to any one or any entity that is not related directly to SSN monies and benefits.

I don't give them to insurance people, I don't give them to Dr.'s or medical institutions, or even utilities (cable, phone). etc). I don't give it out to hardly anyone. Sometimes it is a fight, but, very seldom has it happened, that when I was going to walk away from the transaction, did they not cave and say "ok".

The next battle, as I understand it, will be trying to sign up for an iPhone without giving an SSN. I've heard it can be done, but, sometimes take a number of tries before finding the salesperson/mrg that will do it.

Re:Duh..

[v1 (525388)]

The next battle, as I understand it, will be trying to sign up for an iPhone without giving an SSN. I've heard it can be done, but, sometimes take a number of tries before finding the salesperson/mrg that will do it.

It's got to do with a credit check. You need to surrender your SSN for the normal credit check, and they use the results to determine your deposit. Very few companies will do an alternate (less informative/reliable) check that does not require your ssn.

Without the credit check, you can still get a phone, 100% of the time. You will just have to pay a very large deposit, the largest possible for people that have horrible credit. Anyone that tells you that your ssn is required to get an iPhone is out of touch with reality.

This is true of any of the places that are not authorized by law to require your ssn. So same applies to the others that are often brought up, such as utilities, and pretty much always applies to calculation of a deposit or interest rate.

Re:

[cayenne8 (626475)]

"It's got to do with a credit check. You need to surrender your SSN for the normal credit check, and they use the results to determine your deposit. Very few companies will do an alternate (less informative/reliable) check that does not require your ssn. Without the credit check, you can still get a phone, 100% of the time. You will just have to pay a very large deposit, the largest possible for people that have horrible credit. Anyone that tells you that your ssn is required to get an iPhone is out of tou

Auditing Logs

[DigiWood (311681)]

Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?

Re:

[PolygamousRanchKid (1290638)]

Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?

This is a bit of a dilemma, if the systems administrator and the hacker are one in the same person.

Re:

[Z00L00K (682162)]

That's only reserved for a select few sites.

Odd behavior is sometimes hard to distinguish from normal behavior, so you can't get everything. And in some cases the traffic volume is so large that it's not feasible to try to catch behavior patterns because the deed may be over at the time the analysis has finished.

And then - many systems today lacks necessary logs and may even lack logs completely. That's all too common in those cost-pressed projects. Even if there is a log it's often incomprehensible unless

Re:Auditing Logs

[Archangel Michael (180766)]

Most "Systems Administrators" are people like me, who know enough to keep a wide variety of systems functioning, with little or no training, and are expected to spend a great deal of time and energy keeping the systems functioning ... all by themselves. The scope of responsibility of many of these "System Administrators" spans much further than auditing logs.

I only WISH I had the time to audit logs, and make corrective actions. But our staff has 6000 PCs and three dozen (or more) servers that we have to keep running.

Administration doesn't care about hackers until it is too late. They don't care about computers or keeping them running, until they are without. It is like all those people bitching and complaining when they don't have electricity for a day after a storm. They don't care what it takes to keep the juice flowing until it isn't.

The old saying "don't fix it, if it ain't broke" runs many IT Depts.

Re:

[Culture20 (968837)]

Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?

A lot of that is left up to parsing scripts, interns, or just ignored. Plus, "Odd" is relative. If one of your people is overseas in China, and his VPN account logs in from China IPs at odd times of the day, it could be normal. Until it logs in twice at the same time or after he comes home, you won't notice.

Brutal

[lorenlal (164133)]

This is why a national requirement for EMR systems isn't a good idea right now. The staffers that have to take care of this (in light of recent events in Virginia) are getting hung out to dry either because they don't have the training, or the budget, or both to pull this of safely.

This will always be an argument against EMR systems - How much harder is it to break into someone's office or a hospital and rip off *everyone's* data. Sure, you could break in, steal a few and then torch the building... But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves? And in the break in scenario, there's less stolen data. You're not walking out of a medial building with 160K charts... Or 8 Million in VA.

Re:

[sys.stdout.write (1551563)]

It would seem to me that this would be an argument for a national EMR database. Instead of having thousands of individual databases, all with different levels of security and admin competence, we would have one.

how is this interesting ?

[viralMeme (1461143)]

"It would seem to me that this would be an argument for a national EMR database"

I totally agree .. and who scored that nonsense up 'interesting'?

"This is why a national requirement for EMR systems isn't a good idea right now. The staffers that have to take care of this (in light of recent events in Virginia) are getting hung out to dry either because they don't have the training, or the budget, or both to pull this of safely"

Look, all it takes is to implement systems that are as secure as possible

Re:how is this interesting ?

[lorenlal (164133)]

The most dangerous opening to a statement involving security is "All it takes..." I've had to manage an EMR system. I've had to deal with the security aspect. I also had to do it fresh out of college.

And if you think that having one target for all this information makes it more secure? I have to totally disagree. I've worked with plenty of folks who have ties or worked for the government. They're exactly who I'm talking about when I say "lack of training, or budget, or both." You could audit everything you want, but if you don't know what to look for, or you're not watching the audit logs, it doesn't matter what you've got in place. I've taken a look at logs of an intrusion, and I've seen at least one case where the success happened because the attacker was already armed with data. First attempt succeeded cause they had a valid username/password... Someone else's.

You can't foolproof a public facing system... You can't geniusproof it either. There will be a compromise, it's just a matter of how small you can make it.

Re:

[NoStarchPlox (1552983)]

I agree. Rather than just this being isolated breaches of information it's much better that when attacked they have access to everyone's info! Brilliant!

Re:

[Culture20 (968837)]

But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves?

Assuming that it _must_ be an either-or scenario, I'd rather have my medical history on port 80 open to the world. Sure, there'd be some (a lot of) abuses, but at least my doctors would know my medical history in an emergency or in case I get some long-term condition.

Re:

[lorenlal (164133)]

And I'd rather have mine not on port 80 at all. It should be at least port 443, and better yet, on some seriously secured interface where accessing that data requires some sort of transaction ID, and pre-auth with the data holder.

Furthermore - In that scenario, if I was in an emergency, I'd rather have the freaking hospital *call* the my doctor's office directly to make sure my "history" is correct.

Has anyone ever wondered how people are supposed to verify the accuracy of these records?

Re:

[plover (150551)]

But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves?

Stand the problem on its ear: what if this information were worthless to credit thieves? What if this information simply was no longer able to wreck someone's life?

What we should do instead is make the paradigm of "name, address, SSN, etc.", valueless. Figure out a way to issue credit that wasn't strictly information based. One way would be to make the banks stop issuing credit by mail. If you physically had to walk into a secure building, and present credentials to someone trained to review them, c

Re:

[lorenlal (164133)]

You sir, are addressing this from a much better angle. The biggest reason EMRs are so valuable is because of the non-health information kept with them.

I personally don't care if the entire world knows I had knee surgery. In cases where someone had heart surgery, it's likely that they don't want a life insurer or health insurer to know... but they'll know anyway since that's their business. AFAIC - If our EMRs are not valuable to anyone outside the health industry, then I have no problem with them being p

This is a huge, everyday, constant problem.

[silver007 (1479955)]

Surf on over to datalossdb.org and sub to the RSS feed. Something like this happens everyday, multiple times per day. The bad part is most of the time it's not hackers, it's employees that dump SSN's, DOB's, etc into the garbage or post them to the net. It's horrific. At least when hacker does it, it was done deliberately by someone with half a brain. Most of the time, it's clueless employees scattering our personal information about the grounds like it's fertilizer.

Re:

[0100010001010011 (652467)]

Maybe we should stop making SSNs the end all be all of who we are.

Re:

[Cro Magnon (467622)]

Or we should quit using an identifier as a password.

Old Story

[Plekto (1018050)]

http://www.wired.com/threatlevel/2009/05/uc-berkeley-suffers-breach-of-student-health-data/ [wired.com]

The email informing students of the breach was sent on May 8th. It was all over the news last Friday.

Re:

[jggimi (1279324)]

Yes, but the most interesting part of the story is at Berkeley's website [berkeley.edu]. They were entirely unaware of the intrusion until the "highly skilled" intruders, having had their way with Berkeley's system(s) for eight months, "...left messages on the server."

Re:

[Jazzer_Techie (800432)]

Here is the text of the email that was send out to the Berkeley community.

Colleagues,
We want to let you know that today the campus is sending notification letters and emails to members of our community to inform them of a computer breach that resulted in the theft of personal information from databases in our University Health Services, UHS, area.

The victims of this crime are current and former students, as well as their parents and spouses if linked to insurance coverage, who had UHS health care coverage o

Re:

[dwye (1127395)]

> Slashdot editors posting stories that are days old? Never!

Evidently, this is the exception that proves the rule.

Normally, they wait until a story is a month or two old, but someone screwed up and posted it before its time.

Re:

[plover (150551)]

> Slashdot editors posting stories that are days old? Never!

Evidently, this is the exception that proves the rule.

Normally, they wait until a story is a month or two old, but someone screwed up and posted it before its time.

Don't worry, someone will post a dupe of it about the time it's due.

Time to live in secrecy

[commodore64_love (1445365)]

Between this hacking job, and the stolen records from the Virginia health services, and who knows how many other attacks, I'm thinking it might be a good idea to live "in secret" without any computer-based accounts of any kind. No bank accounts, no stock accounts, no credit cards other than maybe just one.

If you don't have these accounts, you won't be vulnerable to monetary or identity theft.

Re:

[ewanm89 (1052822)]

you also wouldn't have any proof identification or citizenship. No driving licence... And someone stated some health records were stolen in this case.

And...

[Random2 (1412773)]

...they left this information accessible to the public because?

Re:

[NoStarchPlox (1552983)]

The information wasn't accessible through the public site. The problem was that the server compromised through the public website also contained the private databases.

Re:

[Random2 (1412773)]

But that's my point, why were they linked? Albeit more expensive, why not have a private server for just those databases, not connected to the internet? It seems like we need to worry about making our security better first so we don't have these problems. After all, removing the connection's the best way to stop someone hacking your computer.

Re:

[davidwr (791652)]

I once read an article about a "right" way to secure data. Even the authors admitted it wasn't foolproof but there point was, it was a lot more secure than what most people are using.

Every externally-facing computer was on its own sub-network, mostly isolated from everything else. Web sites, ftp sites, even wireless access points. They didn't have any sensitive data on them though. If they needed data, they requested it from data servers, which were in a very locked-down partition.

Portions of the "corpor

Sometimes you need an air gap

[davidwr (791652)]

It's not just military-grade information that needs protecting.

If medical and financial information were warehoused in a way that required a "man in the middle" to approve a request, it might not prevent spear-fishing, and it might not prevent theft of "in use" data, but it would at least prevent wholesale data breaches from information warehouses.

With a man-in-the-middle, you'd need to bribe or blackmail the man in the middle to allow a larger number of access requests to get through.

For some systems, a man in the middle is overkill, alarms that trigger when there are more than a typical number of data requests is sufficient. However, automated alarms, like any automated system, can theoretically be compromised.

Re:

[Hatta (162192)]

So when you go to the emergency room, how is the hospital supposed to query your electronic medical records at your family doctor when it's behind an air gap?

Maybe they aren't. Re:Sometimes you nee

[davidwr (791652)]

If it's current, like allergies, summaries of chronic conditions that affect emergency and urgent health-care conditions, current prescription drugs you are taking, the names and pager numbers of your current doctors, and a current certification that you have current medical insurance that covers emergency and urgent care will probably be considered "current" and not "warehoused." These will be available 24/7, to both care-givers and to criminals who manage to compromise the system the data is stored in.

Ho

'computers' hacked ..

[rs232 (849320)]

How did they manage to not once mention what Operating System these 'computers' run on

Break-in free zone signs

[Kohath (38547)]

The folks at Berkeley need to put up some "this room is a break-in free zone" signs so there are no more break-ins.

Why is this news?

[mc1138 (718275)]

I mean, yeah its good that someone is reporting, but this sort of thing seems to be run of the mill these days. This sort of occurrence is happening more not less, to the point that security admins need to start taking this type of threat more seriously.

160,000 students records compromised

[viralMeme (1461143)]

'Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk'

Re:

[mc1138 (718275)]

Thanks for copying the title of the article. Did you read what I wrote? Or just the title? I'm not saying the news shouldn't report it, but this isn't anything new, and we'll continue to see more new articles like this till systems and security admins start taking a more serious approach to protecting their infrastructures.

Who could benefit from this medical info?

[Drakkenmensch (1255800)]

Smart money says that over the next five years, a whole lot of these people will be mysteriously refused insurance coverage, or be denied payment for "pre-existing conditions" that were never reported to their insurers...

Re:

[darkdaedra (1061330)]

I got the e-mail -- I was a student there at the time. It wasn't the medical records that were compromised, just the SHIP (student health insurance plan) waiver application data that was stolen. Those waivers included SSNs. It's more of a credit/identity theft issue than a medical record issue -- unless of course identity thieves were using that information for health insurance applications, which is, I guess, a real possibility.

When will it be illegal to store/lose this data?

[odin84gk (1162545)]

When will there be a law that will either 1.) Fine a company for every social security number that is published/hacked/stolen (to the point that they either spend the money on security OR they STOP storing social security numbers/cc numbers), or 2.) make it illegal to store a social security number/credit card number? Lets say you are a university trying to give a student loan to a prospect. Sure, you need to run a credit inquiry and identity verification, but after that you give them a student ID to replace their SSN. Stop storing this information unless you are able to prove beyond a shadow of a doubt that you are able to secure this information.

privacy? what privacy?

[bugi (8479)]

So? It's not like there's any expectation of privacy. If the govt isn't expected to respect anyone's privacy, then surely one can't expect it of criminals.

I wish that were funny.

Re:

[0100010001010011 (652467)]

Did they get into the system with intricate knowledge of computer systems or did they brute force and crack a password or other encryption scheme?

(bad) Hacker may be an appropriate term. Just as there are probably (good) hackers probably trying to figure out who did this.

Re:Hackers or Crackers?

[Hatta (162192)]

Just because they're on the internet doesn't mean they're white.

Re:Hackers or Crackers?

[Culture20 (968837)]

If they're infiltrating with malicious intent, I don't think 'hacker' is the proper term here...

Yeesh, give it a rest. Evil computer infiltrator is the predominately accepted definition for Hacker these days. No one calling you a Geek today thinks you bite the heads off small animals. In fact, Geek's etymology stems back to an old English word for "Fool", whereas today it means a smart, unliked person (although it's starting to lose the "unliked" portion of its definition with the rise of the ubiquitous computer culture). I predict in 20-40 years, "Hacker" will be synonymous with "Con-man" as more "crackers" shift into social engineering either in person or via email/IM...
</feeding the troll>

Re:

[lorenlal (164133)]

Man if only they were using OpenBSD... That would've been so... much.... ummm....

Re:

[feranick (858651)]

What an idiotic comment: Assuming that all H1b visa holders are fraudulent criminals. Americans, instead are all angels. Yeah, right. Come on, on the opposite of you, I actually work at UC Berkeley (and I am a US citizen). Most of the H1b are granted to researcher who are valued as an asset for the university. If the US education system would be better than what it is, you would see a much lower number of H1b visas at UC Berkeley.