Forgot your password?
typodupeerror
Security Crime Government Privacy IT News Your Rights Online

Medicaid Hack Update: 500,000 Records and 280,000 SSNs Stolen 64

Posted by timothy
from the needs-more-government-regulation dept.
An anonymous reader writes "Utah's Medicaid hack estimate has grown a second time. This time we have gone from over 180,000 Medicaid and Children's Health Insurance Plan (CHIP) recipients having their personal information stolen to a grand total of 780,000. More specifically, the state now says approximately 500,000 victims had sensitive personal information stolen and 280,000 victims had their Social Security numbers (SSNs) compromised."
This discussion has been archived. No new comments can be posted.

Medicaid Hack Update: 500,000 Records and 280,000 SSNs Stolen

Comments Filter:
  • How could this happen?
    Why is it happening, the information is supposed to be properly secured, and the company is supposed to follow ISO standards, no?
    Unless they outsourced to a company that did not need to do the same, and then went and used their services/softwares....
    otherwise, I am without any ideas how this could happen.

    • Using outsourcing and contractors / sub contractors not only adds overhead it also lets people play the pass the blame game that most of the time end's in on sub contractor getting changed (With all the cost that comes with it) with not fixing the real issues up front.

      Now why should the techs take the blame for stuff out side of there control like having older softer that they don't have the funds or control to update. Don't have the power to make changes to the config with out having to go though levels co

    • Re:What a scam (Score:4, Insightful)

      by kestasjk (933987) * on Tuesday April 10, 2012 @10:00AM (#39630357) Homepage

      Why is it happening, the information is supposed to be properly secured, and the company is supposed to follow ISO standards, no?
      Unless they outsourced to a company [...] I am without any ideas how this could happen.

      Oh I envy your naivety.. I work for an ISO9001 company and it is terrifyingly insecure.

      ISO9001 compliance has nothing to do with security, and frankly ISO9001 compliance doesn't even have very much to do with ISO9001 certification..

    • How could this happen?

      The people in charge don't give a shit.

      Next silly question.

  • ID (Score:3, Insightful)

    by Anonymous Coward on Tuesday April 10, 2012 @09:33AM (#39629993)

    Good thing these are only numbers which would require some sort of modern photo ID to actually use in a context where serious harm could be caused through fraudulent use.

    Right?

    • Good thing these are only numbers which would require some sort of modern photo ID to actually use in a context where serious harm could be caused through fraudulent use.

      Someone modded this up to "Insightful"? Really? Are you from Planet Quendor?

      If you needed real government-issued photo ID to commit identity theft, then most of the criminals would be out of business

      .

  • do it like they do in Luxembourg: arrest anybody who talks about the breach [news.rtl.lu]. After a while there will be nobody left that knows about it. Case closed!
  • The UK government lost 25 MILLION records on one disc. 500k is nothing.

    Seriously, how bad does it have to get before people figure this out?

    • Yeah, but when you lose sooo many records, nobody can use them as authoritative identity anymore, and as such they become rather useless for ID Fraud. Ironically the UK loses so many records that the records themselves are probably of very little use to ID thieves on their own. Everybody knows not to trust them due to all the leaks :)
  • by SCHecklerX (229973) <thecaptain@captaincodo.net> on Tuesday April 10, 2012 @09:58AM (#39630319) Homepage

    I always wonder about these stories. They are obviously so ate up with their infrastructure that they don't know how to properly configure, maintain, and secure it. So how, then, do they detect the breach, which is usually far more difficult than protecting the stuff in the first place.

    • This! (Score:2, Informative)

      by Anonymous Coward

      So how, then, do they detect the breach, which is usually far more difficult than protecting the stuff in the first place.

      This is the right question.

      It so often sounds like these organizations lack high-end intrusion detection systems. It's usually a case of someone stumbling across the "open door " and sounding the alarm. Organizations that lack good IPS are unlikely to have good network auditing systems that record who accesses what and when for every file or network recorders that record every packet on the network. In fairness, that stuff is expensive, complex to install, maintain and use, and introduces storage issues. S

    • by dachshund (300733)

      So how, then, do they detect the breach, which is usually far more difficult than protecting the stuff in the first place.

      A common approach is to insert 'canaries' into the datasets. These are wholly-invented users whose credentials should never show up in any system, anywhere. If they do start showing up in significant numbers, you have a breach. By measuring which, and how many of these fake users turn up, you get a read on how many records you lost.

      Not that this necessarily has anything to do with this

  • Aren't we pushing for centralizing medical records in big databases? This means we have to provide easy access to 10's of thousands of doctors and hospitals and healthcare providers. Easy to access and impossible to hack only exist in RFP's chasing dumb government money. This is the trade off for the convenience. You no longer have to break in and steal a truckload of of files from 1000 different doctor's offices. You hit one database that has everything nicely prepared to be downloaded by the bad guys

    • Exactly! What we need is a giant database that can be compromised by one overworked medical resident who has no real concept of data security.

      I know of two cases where residents had a shared database of passwords to various medical systems at multiple hospitals stored on insecure public "document" sites. In one case, they all had a common password, and different groups of students/residents used it year after year (not even ever changing the username or password). When the IT people found out and blew a

  • by Anonymous Coward

    I work for another major, similar non-profit organization in another site. I've been involved with IT and various areas of the organization's business-side functions; including Electronic Medical Record systems. I will just say that if you really believe these companies are secure, you're naive. These are non-profit corporations with the majority of the people being very untechnologically savvy. Even a decent IT department only has so much control over what is going on - most of the time, the security of th

  • What to do (Score:5, Informative)

    by Jason Levine (196982) on Tuesday April 10, 2012 @10:30AM (#39630699)

    My advice for anyone who's identity was stolen:

    Step 1: Report it to all 3 credit agencies (Experian, TransUnion, and Equifax) and put fraud alerts on your credit files.

    Step 2: Get your free annual credit report from all 3 agencies (not just 1 agency) and go over it with a fine toothed comb. Make sure *EVERYTHING* on there is legit. Contact the agencies about any non-legit items to get them removed.

    Step 3: Freeze your credit file.

    About the latter, fraud alerts last for 90 days and are only a warning sign to be on the lookout for fraud. Companies can (and do) ignore them from time to time. They aren't a guarantee that your credit won't be misused again. Freezing your file, however, means that nobody can add items to your credit unless you thaw it first. Yes, it means you can't get a loan or open up a store credit card on a whim, but that's the trade-off for peace of mind knowing that the thieves could have all of your personal info and still won't be able to do anything with it credit-wise.

    Of course, freezing isn't a cure-all. ID thieves could still use your identity if they are arrested for a crime and you could find yourself with a criminal record you didn't "earn." Still, it's a very handy tool to use.

  • until institutions are held accountable for this type of data breach it will continue to happen. If the fine was lets say $1 million paid to each compromised SSN, then 2 things would happen: 1. they would spend more money on qualified individuals to protect their data 2. this would not be reported as much as they would cover it up.
  • It is important to note where the primary concern of most of the commenters is: the stolen SSNs. We don't have effective health information exchange because politicians and their constituents are scared to death of their all-important "private health data" being stolen. When it actually happens, people stop and realize that no one could possibly have any use for Joe Average's health information, whereas your SSN/personal information can quickly compromise your financial livelihood. In order to get some u

There can be no twisted thought without a twisted molecule. -- R. W. Gerard

Working...