Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
Privacy Data Storage Education Security News

Break-In Compromises 160k Medical Records At UC Berkeley 167

Posted by timothy
from the no-ivy-league-nudes-on-file-at-berkeley dept.
nandemoari writes "Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk. According to UC Berkeley, computer administrators determined on April 9, 2009 that electronic databases in University Health Services had been breached by overseas criminals. The breakins began in October 2008. Information contained on the breached databases included Social Security numbers, health insurance information, and non-treatment medical information such as records of immunization and names of treating physicians."
This discussion has been archived. No new comments can be posted.

Break-In Compromises 160k Medical Records At UC Berkeley

Comments Filter:
  • Duh.. (Score:3, Insightful)

    by Anonymous Coward on Tuesday May 12, 2009 @11:58AM (#27924003)
    If it's connected to internet, it's just matter of time.
    • by madman101 (571954)
      From the university's press release:

      The attackers accessed a public Web site and subsequently bypassed additional secured databases stored on the same server.

      OK, What moron keeps sensitive databases on a public web server?
  • Auditing Logs (Score:5, Insightful)

    by DigiWood (311681) on Tuesday May 12, 2009 @12:02PM (#27924061)

    Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?

    • Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?

      This is a bit of a dilemma, if the systems administrator and the hacker are one in the same person.

    • Re: (Score:3, Insightful)

      by Z00L00K (682162)

      That's only reserved for a select few sites.

      Odd behavior is sometimes hard to distinguish from normal behavior, so you can't get everything. And in some cases the traffic volume is so large that it's not feasible to try to catch behavior patterns because the deed may be over at the time the analysis has finished.

      And then - many systems today lacks necessary logs and may even lack logs completely. That's all too common in those cost-pressed projects. Even if there is a log it's often incomprehensible unless

      • And in some cases the traffic volume is so large that it's not feasible to try to catch behavior patterns

        We have these things called computers, you know...

    • Re:Auditing Logs (Score:5, Insightful)

      by Archangel Michael (180766) on Tuesday May 12, 2009 @12:22PM (#27924375) Journal

      Most "Systems Administrators" are people like me, who know enough to keep a wide variety of systems functioning, with little or no training, and are expected to spend a great deal of time and energy keeping the systems functioning ... all by themselves. The scope of responsibility of many of these "System Administrators" spans much further than auditing logs.

      I only WISH I had the time to audit logs, and make corrective actions. But our staff has 6000 PCs and three dozen (or more) servers that we have to keep running.

      Administration doesn't care about hackers until it is too late. They don't care about computers or keeping them running, until they are without. It is like all those people bitching and complaining when they don't have electricity for a day after a storm. They don't care what it takes to keep the juice flowing until it isn't.

      The old saying "don't fix it, if it ain't broke" runs many IT Depts.

    • Re: (Score:3, Informative)

      by Culture20 (968837)

      Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?

      A lot of that is left up to parsing scripts, interns, or just ignored. Plus, "Odd" is relative. If one of your people is overseas in China, and his VPN account logs in from China IPs at odd times of the day, it could be normal. Until it logs in twice at the same time or after he comes home, you won't notice.

    • Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?

      Nah, there's an iPhone app for that.

  • Brutal (Score:5, Insightful)

    by lorenlal (164133) on Tuesday May 12, 2009 @12:04PM (#27924093)

    This is why a national requirement for EMR systems isn't a good idea right now. The staffers that have to take care of this (in light of recent events in Virginia) are getting hung out to dry either because they don't have the training, or the budget, or both to pull this of safely.

    This will always be an argument against EMR systems - How much harder is it to break into someone's office or a hospital and rip off *everyone's* data. Sure, you could break in, steal a few and then torch the building... But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves? And in the break in scenario, there's less stolen data. You're not walking out of a medial building with 160K charts... Or 8 Million in VA.

    • Re: (Score:2, Insightful)

      It would seem to me that this would be an argument for a national EMR database. Instead of having thousands of individual databases, all with different levels of security and admin competence, we would have one.
      • "It would seem to me that this would be an argument for a national EMR database"

        I totally agree .. and who scored that nonsense up 'interesting'?

        "This is why a national requirement for EMR systems isn't a good idea right now. The staffers that have to take care of this (in light of recent events in Virginia) are getting hung out to dry either because they don't have the training, or the budget, or both to pull this of safely"

        Look, all it takes is to implement systems that are as secure as possible
        • by lorenlal (164133) on Tuesday May 12, 2009 @12:53PM (#27924851)

          The most dangerous opening to a statement involving security is "All it takes..." I've had to manage an EMR system. I've had to deal with the security aspect. I also had to do it fresh out of college.

          And if you think that having one target for all this information makes it more secure? I have to totally disagree. I've worked with plenty of folks who have ties or worked for the government. They're exactly who I'm talking about when I say "lack of training, or budget, or both." You could audit everything you want, but if you don't know what to look for, or you're not watching the audit logs, it doesn't matter what you've got in place. I've taken a look at logs of an intrusion, and I've seen at least one case where the success happened because the attacker was already armed with data. First attempt succeeded cause they had a valid username/password... Someone else's.

          You can't foolproof a public facing system... You can't geniusproof it either. There will be a compromise, it's just a matter of how small you can make it.

      • Re: (Score:2, Funny)

        by NoStarchPlox (1552983)
        I agree. Rather than just this being isolated breaches of information it's much better that when attacked they have access to everyone's info! Brilliant!
    • by Culture20 (968837)

      But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves?

      Assuming that it _must_ be an either-or scenario, I'd rather have my medical history on port 80 open to the world. Sure, there'd be some (a lot of) abuses, but at least my doctors would know my medical history in an emergency or in case I get some long-term condition.

      • by lorenlal (164133)

        And I'd rather have mine not on port 80 at all. It should be at least port 443, and better yet, on some seriously secured interface where accessing that data requires some sort of transaction ID, and pre-auth with the data holder.

        Furthermore - In that scenario, if I was in an emergency, I'd rather have the freaking hospital *call* the my doctor's office directly to make sure my "history" is correct.

        Has anyone ever wondered how people are supposed to verify the accuracy of these records?

        • Furthermore - In that scenario, if I was in an emergency, I'd rather have the freaking hospital *call* the my doctor's office directly to make sure my "history" is correct.

          Right, because your doctor's office is open at 2am when you arrive at the emergency room. And I am sure you've found a way to make sure that, even in an extreme medical emergency, you will be able to stay alive without treatment for an extra 30 minutes while you're waiting for your doctor to get paged and call the ER docs back about y

          • by lorenlal (164133)

            Excellent counterpoint regarding a closed doctor's office. Here are my rebuttals:
            1) Pertinent information in your medical history that would likely pop up would probably also be located in your local hospital. In fact, drug interactions and common procedure allergies will normally be discovered in the 24 hour hospital. Besides, doctors have to provide copies of what happens when you visit a practice to the local hospital and/or insurer anyway. It's part of the great medical (verifiable) paper trail.
            2) I

            • by sgent (874402)
              Besides, doctors have to provide copies of what happens when you visit a practice to the local hospital and/or insurer anyway. It's part of the great medical (verifiable) paper trail.

              This is absolutely wrong -- your insurance company, yes (but usually only procedures and diagnosis, not allergy's, etc), but local hospital -- absolutely not.

              2) In the hospital, when you're suffering from your emergency that'll kill you in 30 minutes, chances are they won't even have time to hunt down your electronic recor

            • Valid points, all. I think this is not really an argument about technology, but about whether the risks of EMR outweigh its benefits -- and that is largely subjective.

              Per your four points:

              1. Not true. My local hospital has very little pertinent information on me. I also travel a lot and so my medical history is scattered around the U.S.
              2. How will they know your insurer? And why would your insurer know your allergies and complete medical history? I've had more than three different insurance companies in the
    • Re: (Score:3, Insightful)

      by plover (150551) *

      But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves?

      Stand the problem on its ear: what if this information were worthless to credit thieves? What if this information simply was no longer able to wreck someone's life?

      What we should do instead is make the paradigm of "name, address, SSN, etc.", valueless. Figure out a way to issue credit that wasn't strictly information based. One way would be to make the banks stop issuing credit by mail. If you physically had to walk into a secure building, and present credentials to someone trained to review them, c

      • by lorenlal (164133)

        You sir, are addressing this from a much better angle. The biggest reason EMRs are so valuable is because of the non-health information kept with them.

        I personally don't care if the entire world knows I had knee surgery. In cases where someone had heart surgery, it's likely that they don't want a life insurer or health insurer to know... but they'll know anyway since that's their business. AFAIC - If our EMRs are not valuable to anyone outside the health industry, then I have no problem with them being p

      • by sowth (748135)

        Public key cryptography would solve the problem. You could give your public key to anyone without worry they could use it to impersonate you. Well, unless they are able to calculate the private key from the public key, but from what I understand this is currently impractical for even the NSA if you use a decent key size. Maybe quantum computing or advances in mathmatics may change the situation, but we will have to just find something else at that point.

        We could've had a public key system in place nearly

    • by MobyDisk (75490)

      Part of me wants this to happen now. There's no technological reason this stuff can't be reasonably secured. It is pure rampant stupidity. Computer security practices today are comparable to security guards leaving the back door unlocked so they can take a smoke break and get back in. The only thing that will fix this stuff is constant rampant security violations.

      Worst-case, people just come to accept it and privacy dies. I guess that is quite a price to pay...

    • by AK Marc (707885)
      This will always be an argument against EMR systems - How much harder is it to break into someone's office or a hospital and rip off *everyone's* data. Sure, you could break in, steal a few and then torch the building... But which is worse? Missing your medical history or having all that personal identifiable information in the hands of credit thieves?

      Missing my medical history. I don't care if someone steals my "credit." Identity theft is blaming the 3rd party victim for a bank's insecure practices. I
      • by lorenlal (164133)

        Agreed with the credit-fraud assessment. But I think we both know how quickly the feds will require that the banks and creditors clean up their acts...

  • by silver007 (1479955) on Tuesday May 12, 2009 @12:05PM (#27924101) Journal
    Surf on over to datalossdb.org and sub to the RSS feed. Something like this happens everyday, multiple times per day. The bad part is most of the time it's not hackers, it's employees that dump SSN's, DOB's, etc into the garbage or post them to the net. It's horrific. At least when hacker does it, it was done deliberately by someone with half a brain. Most of the time, it's clueless employees scattering our personal information about the grounds like it's fertilizer.
  • Old Story (Score:5, Informative)

    by Plekto (1018050) on Tuesday May 12, 2009 @12:05PM (#27924107)

    http://www.wired.com/threatlevel/2009/05/uc-berkeley-suffers-breach-of-student-health-data/ [wired.com]

    The email informing students of the breach was sent on May 8th. It was all over the news last Friday.

    • Re: (Score:2, Informative)

      by jggimi (1279324)
      Yes, but the most interesting part of the story is at Berkeley's website [berkeley.edu]. They were entirely unaware of the intrusion until the "highly skilled" intruders, having had their way with Berkeley's system(s) for eight months, "...left messages on the server."
    • Re: (Score:3, Informative)

      by Jazzer_Techie (800432)

      Here is the text of the email that was send out to the Berkeley community.

      Colleagues,
      We want to let you know that today the campus is sending notification letters and emails to members of our community to inform them of a computer breach that resulted in the theft of personal information from databases in our University Health Services, UHS, area.

      The victims of this crime are current and former students, as well as their parents and spouses if linked to insurance coverage, who had UHS health care coverage o

  • by commodore64_love (1445365) on Tuesday May 12, 2009 @12:06PM (#27924129) Journal

    Between this hacking job, and the stolen records from the Virginia health services, and who knows how many other attacks, I'm thinking it might be a good idea to live "in secret" without any computer-based accounts of any kind. No bank accounts, no stock accounts, no credit cards other than maybe just one.

    If you don't have these accounts, you won't be vulnerable to monetary or identity theft.

    • Re: (Score:2, Insightful)

      by ewanm89 (1052822)
      you also wouldn't have any proof identification or citizenship. No driving licence... And someone stated some health records were stolen in this case.
      • Technically you don't need a drivers license. You don't need permission to use the People's roads now, anymore than you needed permission one hundred years ago when you had a horse-and-carriage. Just because you sold the horse and switched to a Model T doesn't mean you lose the inalienable right to travel.

        As for the proof of citizenship, an SSI card with birth certificate serves that purpose.

  • And... (Score:2, Insightful)

    by Random2 (1412773)
    ...they left this information accessible to the public because?
    • Re: (Score:2, Informative)

      by NoStarchPlox (1552983)
      The information wasn't accessible through the public site. The problem was that the server compromised through the public website also contained the private databases.
      • Re: (Score:2, Insightful)

        by Random2 (1412773)
        But that's my point, why were they linked? Albeit more expensive, why not have a private server for just those databases, not connected to the internet? It seems like we need to worry about making our security better first so we don't have these problems. After all, removing the connection's the best way to stop someone hacking your computer.
      • Re: (Score:2, Interesting)

        by davidwr (791652)

        I once read an article about a "right" way to secure data. Even the authors admitted it wasn't foolproof but there point was, it was a lot more secure than what most people are using.

        Every externally-facing computer was on its own sub-network, mostly isolated from everything else. Web sites, ftp sites, even wireless access points. They didn't have any sensitive data on them though. If they needed data, they requested it from data servers, which were in a very locked-down partition.

        Portions of the "corpor

  • by davidwr (791652) on Tuesday May 12, 2009 @12:16PM (#27924293) Homepage Journal

    It's not just military-grade information that needs protecting.

    If medical and financial information were warehoused in a way that required a "man in the middle" to approve a request, it might not prevent spear-fishing, and it might not prevent theft of "in use" data, but it would at least prevent wholesale data breaches from information warehouses.

    With a man-in-the-middle, you'd need to bribe or blackmail the man in the middle to allow a larger number of access requests to get through.

    For some systems, a man in the middle is overkill, alarms that trigger when there are more than a typical number of data requests is sufficient. However, automated alarms, like any automated system, can theoretically be compromised.

    • Re: (Score:3, Insightful)

      by Hatta (162192)

      So when you go to the emergency room, how is the hospital supposed to query your electronic medical records at your family doctor when it's behind an air gap?

      • If it's current, like allergies, summaries of chronic conditions that affect emergency and urgent health-care conditions, current prescription drugs you are taking, the names and pager numbers of your current doctors, and a current certification that you have current medical insurance that covers emergency and urgent care will probably be considered "current" and not "warehoused." These will be available 24/7, to both care-givers and to criminals who manage to compromise the system the data is stored in.

        Ho

    • Please, can we not call that "man in the middle"? That's a term to used to describe an attack vector.

      "Gatekeeper" would be a far better term, IMO.

      And for that matter, what you suggest is already used in meatspace... if you want to access public records, typically you need to go through a "custodian of records" or some such... this person helps ensure the validity of requests.

      The problem with requiring a live person to act as a gatekeeper on digitally stored records is that in doing so, we lose a lot of
  • How did they manage to not once mention what Operating System these 'computers' run on
    • I was wondering about that myself, though it sounds like this was a compromised website issue rather than an OS issue. (So I guess the question is "was this a hole some programmer left in an ASP.NET page, or was it PHP? (or python or perl cgi)"...)
    • This was the University of California at Berkeley. The only OS they are permitted to run is the one they developed in-house: BSD, of course.

      They were running BSD, weren't they? Why the hell would they want to run anything else if they had concerns about security?

      • Because sometimes they want to run prepackaged software on an operating system which is supported by the vendor?

  • by Kohath (38547) on Tuesday May 12, 2009 @12:18PM (#27924315)

    The folks at Berkeley need to put up some "this room is a break-in free zone" signs so there are no more break-ins.

  • I mean, yeah its good that someone is reporting, but this sort of thing seems to be run of the mill these days. This sort of occurrence is happening more not less, to the point that security admins need to start taking this type of threat more seriously.
    • 'Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk'
      • by mc1138 (718275)
        Thanks for copying the title of the article. Did you read what I wrote? Or just the title? I'm not saying the news shouldn't report it, but this isn't anything new, and we'll continue to see more new articles like this till systems and security admins start taking a more serious approach to protecting their infrastructures.
  • by Drakkenmensch (1255800) on Tuesday May 12, 2009 @12:26PM (#27924439)
    Smart money says that over the next five years, a whole lot of these people will be mysteriously refused insurance coverage, or be denied payment for "pre-existing conditions" that were never reported to their insurers...
    • Re: (Score:2, Informative)

      by darkdaedra (1061330)
      I got the e-mail -- I was a student there at the time. It wasn't the medical records that were compromised, just the SHIP (student health insurance plan) waiver application data that was stolen. Those waivers included SSNs. It's more of a credit/identity theft issue than a medical record issue -- unless of course identity thieves were using that information for health insurance applications, which is, I guess, a real possibility.
    • by Qzukk (229616)

      mysteriously refused insurance coverage

      It's unlikely that the insurance companies would act directly, after all, they'd be in really deep shit if they were found to be in possession of this data, and such an act would be too much of a coincidence to write off, especially after the first two or three Berkley students get rejected.

      No, mid-to-large size corporations are the ones that'll use this. They'll be the ones that can afford a few bucks for "candidate screening" and since their employment decisions are

    • The federal government has already granted insurance companies carte blanch to your medical records. The fact this is sanctioned by the government is corrupt and despicable, nonetheless no criminal element can harm you more than these insurance companies can, so this "theft" is a non-event.

      Meanwhile, i'll continue to be denied all coverage because of crohns disease, which is not related to lifestyle, while people with obesity related diabetes and hypertension continue to readily receive it.

  • by odin84gk (1162545) on Tuesday May 12, 2009 @12:34PM (#27924539)
    When will there be a law that will either 1.) Fine a company for every social security number that is published/hacked/stolen (to the point that they either spend the money on security OR they STOP storing social security numbers/cc numbers), or 2.) make it illegal to store a social security number/credit card number? Lets say you are a university trying to give a student loan to a prospect. Sure, you need to run a credit inquiry and identity verification, but after that you give them a student ID to replace their SSN. Stop storing this information unless you are able to prove beyond a shadow of a doubt that you are able to secure this information.
    • by plover (150551) *

      Stop storing this information unless you are able to prove beyond a shadow of a doubt that you are able to secure this information.

      Unfortunately, there is (and can be) no such proof. It's a part of the fundamentals of security: you can't prove a negative.

      The way I see it, we really have three choices for protecting data:

      • Armor your systems against all the possible known attacks. Use firewalls, intrusion detection systems, encrypt the data, require smart card access mechanisms, patch your servers, blah, blah, blah.
      • Reduce or remove the sensitive data entirely. You do not have to protect it if you do not have it.
      • Take away the
      • by mlts (1038732) *

        A fourth would be separation of data onto different databases on different servers. If social security numbers are not needed, have those stored in a smaller armored database that doesn't connect to the Web. Instead, use another number.

        This way, if an application needs information, it can grab what it needs, but no more.

    • Some states like California do punish companies who have a security breach involving Credit Card numbers and SSNs.

      2.) make it illegal to store a social security number/credit card number?

      If credit card numbers are hosted by your company, the company is probably subject to the rules established by the PCI Security Standards Council (See https://www.pcisecuritystandards.org/ [pcisecuritystandards.org] ). If your business does not comply, the Payment Card Industry will now allow you to process financial transactions, or they will limit

    • It already is. California has a law (SB 1386) that has been in effect since 2003 concerning the responsibility of companies and government agencies to keep their databases secure and to publicly report any breach of confidential personal information within 30 days of the incident.

      Full text of the bill is here: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html [ca.gov]

      There are no fines imposed, but the public humiliation of having to admit that they lost data can cost a co

    • by pclminion (145572)

      It is already illegal, because this was medical data. For allowing this data to escape, UCB is subject to civil monetary penalties under HIPAA. These penalties go at $100 per violation, which means they'd theoretically owe $16,000,000. Unfortunately, the penalty is capped at $25,000 per year, so it's going to be a drop in the bucket.

      Now, if the data was compromised knowingly by an employee of the University, then that employee as well as the university would be subject to criminal fines of up to $250,000 an

  • by bugi (8479) on Tuesday May 12, 2009 @12:37PM (#27924589)

    So? It's not like there's any expectation of privacy. If the govt isn't expected to respect anyone's privacy, then surely one can't expect it of criminals.

    I wish that were funny.

    • by Kabuthunk (972557)

      If the govt isn't expected to respect anyone's privacy, then surely one can't expect it of criminals.

      Well, now you're just being redundant :P.

  • Better Off Stolen? (Score:2, Interesting)

    by mindbrane (1548037)
    Have we arrived at a point where the average person is better off having had their identity stolen? With so much identity theft having taken place and, perhaps, a great deal of stolen identities unreported, wouldn't one be better served having had their identity stolen. Being able to establish that one's identity has been stolen may be the most expeditious defense against actions brought resulting from stolen identity. There's security in numbers, unless of course those numbers are stored on a computer.
  • how long will it be before we can stop relying on something as easy to get as a social security number as a unique identifier?

  • Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk.

    It was at risk before before it was infiltrated. Now the loss has been guaranteed.

  • It was probably students on campus using Tor.

In seeking the unattainable, simplicity only gets in the way. -- Epigrams in Programming, ACM SIGPLAN Sept. 1982

Working...