Medicaid Hack Update: 500,000 Records and 280,000 SSNs Stolen 64
An anonymous reader writes "Utah's Medicaid hack estimate has grown a second time. This time we have gone from over 180,000 Medicaid and Children's Health Insurance Plan (CHIP) recipients having their personal information stolen to a grand total of 780,000. More specifically, the state now says approximately 500,000 victims had sensitive personal information stolen and 280,000 victims had their Social Security numbers (SSNs) compromised."
Re:Not to be rude about it, but (Score:5, Informative)
Re: (Score:2)
No, seniors are on Medicare, which is a completely different program.
Re: (Score:1)
You mean Medicare, not Medicaid, which is for the very poor or terminally ill.
The big prize here would be any Children's SSN's. Those are valuable for identity fraud [sltrib.com] because children have clean credit histories, and it takes months-to-years for the parents to figure it out.
I suspect "Anonymous" may be at work here, they've attacked Utah government and police sites before [sltrib.com]. They seem to support free speech, unless it's free speech they don't like, then it should be destroyed. Ironically, not only did they
Re: (Score:2)
They seem to support free speech, unless it's free speech they don't like, then it should be destroyed.
You're giving them too much credit. Most of them do it for the lulz. Seriously.
Re: (Score:2)
Poor people are probably less likely to keep an eye on their credit reports so they're actually better targets. Stealing identities to get 100 fraudulent cards with a $1000 limit each is much more useful than a single card with a $100,000 limit... especially since the person whose identity allowed you to get the $100,000 card is more likely to catch it and know how to deal with it before it's too late.
Re: (Score:2)
Hey Stalker!
Re: (Score:3)
Illegal aliens for one. Allows them to get a job.
it would be somewhat amusing if this helped the credit score for some of these people...though it would suck if it disqualifies them for medicaid
government agent: well it appears you are working 11 jobs in 3 states making a total of $123k per year. i am sorry but you don't fall under the minimum wage requirements to remain on medicaid...however we can offer you a heck of a deal on a new mortgage!
Re: (Score:2)
Don't they check the SSN against the listed name, Do, gender, etc...
Sure I would have something to put on a paper, but wouldn't it raise a red flag when the paper says it's a 23 year old Juan Gomez; and the SSN is for a 78 year old Martha Hicks on the other side of the country?
I once typo'd my SSN on a leasing agreement and the apt company asked me to redo it as the information did not match up.
Re: (Score:3)
One would hope so, but as I learned the hard way, companies don't always check or pay attention to red flags. My identity was stolen. The thieves used my name, address, SSN, and DOB to open a credit card in my name. They got my mother's maiden name wrong. You know, that "security" question that's supposed to help prevent fraud? They got it completely wrong. (Red Flag #1) Then, they paid for rush delivery of the card and changed the address to another state entirely. (Red Flag #2) Then, they tried to
Re: (Score:2)
So is there no recourse in such a case?
If the CC company wont allow you or the police to pursue the matter.
Re: (Score:2)
It all depends on how much you want to pursue the matter and how forceful your police department is. My police department kept insisting that investigating these cases was useless because chances are the thief was in a different jurisdiction. They would not update me for awhile and, when I got insistent, they would reveal there was no progress at all. They honestly didn't seem to care much because I didn't "lose" anything of much value. (We caught it in time so immediate monetary loss was zero.) They a
Re: (Score:2)
The end result is that my ID thief got away and likely stole other people's identities and the credit card company (*cough* Capital One *cough*) is likely still approving sketchy applications.
Coincidentally, I was on the phone for a good while with them yesterday and will be heading to the bank once they open today. Somebody grabbed those "balance transfer" (or whatever) checks that they send you out of my mailbox, wrote an enormous check out to "cash", put a signature on it that kind of looks like my name (if not my signature), and pulled out the cash before Capital One had a chance to tell the bank that the check was beyond my credit limit. Fun... Even the most basic heuristics should tell
Re: (Score:2)
Sadly, companies like this seem to consider basic fraud checks to be a needless expense. They just approve any credit/transfers and if they make a mistake.... oops! Well, it's only your money/credit. They'll write off any losses they incur and move on. Not every company is like this, but enough big companies are to make real problems for people like us.
Re:Not to be rude about it, but (Score:5, Interesting)
who is going to want SSN's of a bunch of poor people on Medicaid?
If you can fog a mirror you can get a car loan. A car can be driven across the border, to a chop shop, etc. If you're poor the interest rate will be 15% but if you stole the info and intend to never make a payment, no one cares. My mom had zero income, and someone with her info bought a pickup truck in Texas and disappeared into Mexico. She had no problem removing it from her credit history as it was beyond ridiculous, but if she were not so lucky, then it could have been a problem.
You don't need any money for an illegal to use your information to hold a job (IRS etc) or get free medical care. Actually a poor person has much better medical coverage than I do... so their info is more valuable than mine. The IRS thing with stolen SS numbers is no problem unless the illegal claims 15 exemptions and pays no tax.. then you have to pay their tax for them, or prove you're not working both as a sysadmin and a restaurant dishwasher simultaneously.
You don't need any money or credit record to visit a "check cashing place / payday loan joint" with a fake check, walk out with cash, and leave the victim to figure it all out.
Re: (Score:1)
Re: (Score:3)
Not everyone on Medicaid stays poor for the rest of their lives. Utah in particular has a lot of young married students with young children who qualify for CHIP while in college but later go on to lucrative careers.
It might have something to do with the fact that (Score:2)
Re: (Score:1)
What a scam (Score:1)
How could this happen?
Why is it happening, the information is supposed to be properly secured, and the company is supposed to follow ISO standards, no?
Unless they outsourced to a company that did not need to do the same, and then went and used their services/softwares....
otherwise, I am without any ideas how this could happen.
outsourcing and contractors / sub contractors (Score:2)
Using outsourcing and contractors / sub contractors not only adds overhead it also lets people play the pass the blame game that most of the time end's in on sub contractor getting changed (With all the cost that comes with it) with not fixing the real issues up front.
Now why should the techs take the blame for stuff out side of there control like having older softer that they don't have the funds or control to update. Don't have the power to make changes to the config with out having to go though levels co
Re:What a scam (Score:4, Insightful)
Why is it happening, the information is supposed to be properly secured, and the company is supposed to follow ISO standards, no?
Unless they outsourced to a company [...] I am without any ideas how this could happen.
Oh I envy your naivety.. I work for an ISO9001 company and it is terrifyingly insecure.
ISO9001 compliance has nothing to do with security, and frankly ISO9001 compliance doesn't even have very much to do with ISO9001 certification..
Re: (Score:2)
The reference to ISO compliance here isn't to the ISO9001 quality standard, but the ISO 27001 and ISO 27002 best practices standards for information security.
see: http://en.wikipedia.org/wiki/ISO/IEC_27001 [wikipedia.org]
Re: (Score:3)
How could this happen?
The people in charge don't give a shit.
Next silly question.
ID (Score:3, Insightful)
Good thing these are only numbers which would require some sort of modern photo ID to actually use in a context where serious harm could be caused through fraudulent use.
Right?
Re: (Score:1)
Good thing these are only numbers which would require some sort of modern photo ID to actually use in a context where serious harm could be caused through fraudulent use.
Someone modded this up to "Insightful"? Really? Are you from Planet Quendor?
If you needed real government-issued photo ID to commit identity theft, then most of the criminals would be out of business
.
Simple solution: (Score:2)
Re: (Score:2, Funny)
do it like they do in Luxembourg: arrest anybody who talks about the breach [news.rtl.lu]. After a while there will be nobody left that knows about it. Case closed!
Yeah, but that's Luxembourg. Arrest like 5 people and you've arrested almost a quarter of the population. A lot harder to do that in the US.
Re:Simple solution: (Score:4, Informative)
Yeah, but that's Luxembourg. Arrest like 5 people and you've arrested almost a quarter of the population. A lot harder to do that in the US.
You seem to be doing a good job, though... [wikipedia.org]
Re: (Score:1)
Arrest like 5 people ... almost a quarter of the population. A lot harder to do that in the US.
We'll git er done... Americuh, F yeah!
Pffffft..... (Score:2)
The UK government lost 25 MILLION records on one disc. 500k is nothing.
Seriously, how bad does it have to get before people figure this out?
Re: (Score:2)
So, how did they discover the leakage? (Score:5, Insightful)
I always wonder about these stories. They are obviously so ate up with their infrastructure that they don't know how to properly configure, maintain, and secure it. So how, then, do they detect the breach, which is usually far more difficult than protecting the stuff in the first place.
This! (Score:2, Informative)
So how, then, do they detect the breach, which is usually far more difficult than protecting the stuff in the first place.
This is the right question.
It so often sounds like these organizations lack high-end intrusion detection systems. It's usually a case of someone stumbling across the "open door " and sounding the alarm. Organizations that lack good IPS are unlikely to have good network auditing systems that record who accesses what and when for every file or network recorders that record every packet on the network. In fairness, that stuff is expensive, complex to install, maintain and use, and introduces storage issues. S
Re: (Score:3)
A common approach is to insert 'canaries' into the datasets. These are wholly-invented users whose credentials should never show up in any system, anywhere. If they do start showing up in significant numbers, you have a breach. By measuring which, and how many of these fake users turn up, you get a read on how many records you lost.
Not that this necessarily has anything to do with this
We want this (Score:1)
Aren't we pushing for centralizing medical records in big databases? This means we have to provide easy access to 10's of thousands of doctors and hospitals and healthcare providers. Easy to access and impossible to hack only exist in RFP's chasing dumb government money. This is the trade off for the convenience. You no longer have to break in and steal a truckload of of files from 1000 different doctor's offices. You hit one database that has everything nicely prepared to be downloaded by the bad guys
Re: (Score:1)
Exactly! What we need is a giant database that can be compromised by one overworked medical resident who has no real concept of data security.
I know of two cases where residents had a shared database of passwords to various medical systems at multiple hospitals stored on insecure public "document" sites. In one case, they all had a common password, and different groups of students/residents used it year after year (not even ever changing the username or password). When the IT people found out and blew a
This is possible with many non-profits. (Score:1)
I work for another major, similar non-profit organization in another site. I've been involved with IT and various areas of the organization's business-side functions; including Electronic Medical Record systems. I will just say that if you really believe these companies are secure, you're naive. These are non-profit corporations with the majority of the people being very untechnologically savvy. Even a decent IT department only has so much control over what is going on - most of the time, the security of th
What to do (Score:5, Informative)
My advice for anyone who's identity was stolen:
Step 1: Report it to all 3 credit agencies (Experian, TransUnion, and Equifax) and put fraud alerts on your credit files.
Step 2: Get your free annual credit report from all 3 agencies (not just 1 agency) and go over it with a fine toothed comb. Make sure *EVERYTHING* on there is legit. Contact the agencies about any non-legit items to get them removed.
Step 3: Freeze your credit file.
About the latter, fraud alerts last for 90 days and are only a warning sign to be on the lookout for fraud. Companies can (and do) ignore them from time to time. They aren't a guarantee that your credit won't be misused again. Freezing your file, however, means that nobody can add items to your credit unless you thaw it first. Yes, it means you can't get a loan or open up a store credit card on a whim, but that's the trade-off for peace of mind knowing that the thieves could have all of your personal info and still won't be able to do anything with it credit-wise.
Of course, freezing isn't a cure-all. ID thieves could still use your identity if they are arrested for a crime and you could find yourself with a criminal record you didn't "earn." Still, it's a very handy tool to use.
Re:What to do (Score:4, Informative)
"Step 2: Get your free annual credit report from all 3 agencies (not just 1 agency) and go over it with a fine toothed comb. Make sure *EVERYTHING* on there is legit. Contact the agencies about any non-legit items to get them removed."
regarding that bit http://www.annualcreditreport.com/ [annualcreditreport.com] is the address you need
or hit https://www.annualcreditreport.com/cra/order?mail [annualcreditreport.com] for details on how to get this done (if you do the USPS method photocopy your DL and SS card and enclose that with the form)
Re: (Score:2)
Thanks for adding that link.
Accountability...... (Score:2)
Important Observation (Score:1)