Forgot your password?
typodupeerror
Privacy Data Storage Education Security News

Break-In Compromises 160k Medical Records At UC Berkeley 167

Posted by timothy
from the no-ivy-league-nudes-on-file-at-berkeley dept.
nandemoari writes "Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk. According to UC Berkeley, computer administrators determined on April 9, 2009 that electronic databases in University Health Services had been breached by overseas criminals. The breakins began in October 2008. Information contained on the breached databases included Social Security numbers, health insurance information, and non-treatment medical information such as records of immunization and names of treating physicians."
This discussion has been archived. No new comments can be posted.

Break-In Compromises 160k Medical Records At UC Berkeley

Comments Filter:
  • Duh.. (Score:3, Insightful)

    by Anonymous Coward on Tuesday May 12, 2009 @11:58AM (#27924003)
    If it's connected to internet, it's just matter of time.
  • by Anonymous Coward on Tuesday May 12, 2009 @11:59AM (#27924013)

    If they're infiltrating with malicious intent, I don't think 'hacker' is the proper term here...

  • Auditing Logs (Score:5, Insightful)

    by DigiWood (311681) on Tuesday May 12, 2009 @12:02PM (#27924061)

    Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?

  • Brutal (Score:5, Insightful)

    by lorenlal (164133) on Tuesday May 12, 2009 @12:04PM (#27924093)

    This is why a national requirement for EMR systems isn't a good idea right now. The staffers that have to take care of this (in light of recent events in Virginia) are getting hung out to dry either because they don't have the training, or the budget, or both to pull this of safely.

    This will always be an argument against EMR systems - How much harder is it to break into someone's office or a hospital and rip off *everyone's* data. Sure, you could break in, steal a few and then torch the building... But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves? And in the break in scenario, there's less stolen data. You're not walking out of a medial building with 160K charts... Or 8 Million in VA.

  • by 0100010001010011 (652467) on Tuesday May 12, 2009 @12:10PM (#27924191)

    Did they get into the system with intricate knowledge of computer systems or did they brute force and crack a password or other encryption scheme?

    (bad) Hacker may be an appropriate term. Just as there are probably (good) hackers probably trying to figure out who did this.

  • by ewanm89 (1052822) on Tuesday May 12, 2009 @12:13PM (#27924251) Homepage
    you also wouldn't have any proof identification or citizenship. No driving licence... And someone stated some health records were stolen in this case.
  • And... (Score:2, Insightful)

    by Random2 (1412773) on Tuesday May 12, 2009 @12:15PM (#27924275) Journal
    ...they left this information accessible to the public because?
  • by davidwr (791652) on Tuesday May 12, 2009 @12:16PM (#27924293) Homepage Journal

    It's not just military-grade information that needs protecting.

    If medical and financial information were warehoused in a way that required a "man in the middle" to approve a request, it might not prevent spear-fishing, and it might not prevent theft of "in use" data, but it would at least prevent wholesale data breaches from information warehouses.

    With a man-in-the-middle, you'd need to bribe or blackmail the man in the middle to allow a larger number of access requests to get through.

    For some systems, a man in the middle is overkill, alarms that trigger when there are more than a typical number of data requests is sufficient. However, automated alarms, like any automated system, can theoretically be compromised.

  • Re:Auditing Logs (Score:3, Insightful)

    by Z00L00K (682162) on Tuesday May 12, 2009 @12:18PM (#27924303) Homepage

    That's only reserved for a select few sites.

    Odd behavior is sometimes hard to distinguish from normal behavior, so you can't get everything. And in some cases the traffic volume is so large that it's not feasible to try to catch behavior patterns because the deed may be over at the time the analysis has finished.

    And then - many systems today lacks necessary logs and may even lack logs completely. That's all too common in those cost-pressed projects. Even if there is a log it's often incomprehensible unless you are the programmer.

  • Re:Auditing Logs (Score:5, Insightful)

    by Archangel Michael (180766) on Tuesday May 12, 2009 @12:22PM (#27924375) Journal

    Most "Systems Administrators" are people like me, who know enough to keep a wide variety of systems functioning, with little or no training, and are expected to spend a great deal of time and energy keeping the systems functioning ... all by themselves. The scope of responsibility of many of these "System Administrators" spans much further than auditing logs.

    I only WISH I had the time to audit logs, and make corrective actions. But our staff has 6000 PCs and three dozen (or more) servers that we have to keep running.

    Administration doesn't care about hackers until it is too late. They don't care about computers or keeping them running, until they are without. It is like all those people bitching and complaining when they don't have electricity for a day after a storm. They don't care what it takes to keep the juice flowing until it isn't.

    The old saying "don't fix it, if it ain't broke" runs many IT Depts.

  • Re:And... (Score:2, Insightful)

    by Random2 (1412773) on Tuesday May 12, 2009 @12:24PM (#27924393) Journal
    But that's my point, why were they linked? Albeit more expensive, why not have a private server for just those databases, not connected to the internet? It seems like we need to worry about making our security better first so we don't have these problems. After all, removing the connection's the best way to stop someone hacking your computer.
  • Re:Brutal (Score:2, Insightful)

    by sys.stdout.write (1551563) on Tuesday May 12, 2009 @12:24PM (#27924401)
    It would seem to me that this would be an argument for a national EMR database. Instead of having thousands of individual databases, all with different levels of security and admin competence, we would have one.
  • by Hatta (162192) on Tuesday May 12, 2009 @12:28PM (#27924467) Journal

    So when you go to the emergency room, how is the hospital supposed to query your electronic medical records at your family doctor when it's behind an air gap?

  • by 0100010001010011 (652467) on Tuesday May 12, 2009 @12:35PM (#27924575)

    Maybe we should stop making SSNs the end all be all of who we are.

  • by Culture20 (968837) on Tuesday May 12, 2009 @12:43PM (#27924695)

    If they're infiltrating with malicious intent, I don't think 'hacker' is the proper term here...

    Yeesh, give it a rest. Evil computer infiltrator is the predominately accepted definition for Hacker these days. No one calling you a Geek today thinks you bite the heads off small animals. In fact, Geek's etymology stems back to an old English word for "Fool", whereas today it means a smart, unliked person (although it's starting to lose the "unliked" portion of its definition with the rise of the ubiquitous computer culture). I predict in 20-40 years, "Hacker" will be synonymous with "Con-man" as more "crackers" shift into social engineering either in person or via email/IM...
    </feeding the troll>

  • by davidwr (791652) on Tuesday May 12, 2009 @12:44PM (#27924715) Homepage Journal

    If it's current, like allergies, summaries of chronic conditions that affect emergency and urgent health-care conditions, current prescription drugs you are taking, the names and pager numbers of your current doctors, and a current certification that you have current medical insurance that covers emergency and urgent care will probably be considered "current" and not "warehoused." These will be available 24/7, to both care-givers and to criminals who manage to compromise the system the data is stored in.

    However, the details of your bout with the flu 2 years ago or your recovery from your car accident 10 years ago won't be available without human assistance. Neither will the details of your insurance coverage.

    There is a balance that needs to be struck between "what could reasonably be so important it can't wait until normal business hours to access" and everything else. Only the former would be retrievable 24/7 without waiting for a person.

  • Re:Brutal (Score:3, Insightful)

    by plover (150551) * on Tuesday May 12, 2009 @01:07PM (#27925037) Homepage Journal

    But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves?

    Stand the problem on its ear: what if this information were worthless to credit thieves? What if this information simply was no longer able to wreck someone's life?

    What we should do instead is make the paradigm of "name, address, SSN, etc.", valueless. Figure out a way to issue credit that wasn't strictly information based. One way would be to make the banks stop issuing credit by mail. If you physically had to walk into a secure building, and present credentials to someone trained to review them, credit fraud and identity theft would dramatically slow down.

    We stupidly keep putting up with this crap. Regardless of how much security burden we place on banks, stores, schools and hospitals, there are always going to be leaks. With so many millions of retailers that have little to no oversight, there statistically HAVE to be "weak spots." Always. We have to change the fundamentals if we're going to fix the real problem.

When all else fails, read the instructions.

Working...