US Health Insurer Anthem Suffers Massive Data Breach 223
An anonymous reader writes Anthem, the second-largest health insurer in the United States, has suffered a data breach that may turn out to be the largest health care breach to date, as the compromised database holds records of some 80 million individuals. Not much is known about how the attack was discovered, how it unfolded and who might be behind it, but the breach has been confirmed by the company's CEO Joseph Swedish in a public statement, in which he says they were the victims of a "very sophisticated external cyber attack." The company has notified the FBI, and has hired Mandiant to evaluate their systems and identify solutions to secure them.
Swedish said the breach is extensive: the vulnerable data included "names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data," though "no credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised." (Also covered by Reuters.)
That's why nobody sensible wants them (Score:5, Interesting)
Huge databases full of personal info are gigantic targets, and properly securing them is very very difficult (and what's worse, uneconomical, since most of them are owned by publicly traded companies)..
Pandora's box is open now, but don't say the tinfoiled warriors didn't warn you..
Re:That's why nobody sensible wants them (Score:4, Informative)
PII should be classified based on sensitivity. At a certain level, that PII must be encrypted during transit. At the highest level, it must be encrypted during transit and at rest. SSN falls in the highest sensitivity level. SOP for years. This doesn't guarantee you won't get hacked, but it reduces / minimizes the impact if you are hacked.
PII - Personally Identifiable Information
SSN - Social Security Number
SOP - Standard Operating Procedure
Re: (Score:2)
PII should be classified based on sensitivity. At a certain level, that PII must be encrypted during transit. At the highest level, it must be encrypted during transit and at rest. SSN falls in the highest sensitivity level. SOP for years. This doesn't guarantee you won't get hacked, but it reduces / minimizes the impact if you are hacked.
PII - Personally Identifiable Information
SSN - Social Security Number
SOP - Standard Operating Procedure
Out of curiosity since you are familiar with the subject, where is the acceptable place to keep the encryption key? During a compromise it doesn't do much good when it's on or near the same server as the DB with the data. Two servers, with two distinct access control credentials?
Re: (Score:2)
Info needs to be accessible to them, IRS(ACA), bil (Score:3)
The information needs to be accessible. The insurance company has to access it, of course, as well as partners like billing and collection companies, doctors and hospitals query the system, and to enforce ACA the IRS needs access, the state exchange you bought it through ... Probably three more types of entities I'm not thinking of off the top of my head. I'd bet there are at least a dozen different government agencies involved with ACA who can query your information.
If the IRS, the insurance company, the
Re: (Score:2)
So only the guy in the server room can access any patient^H^H^H^H^H^H customer data, for a company with millions of customers? That's going to be one busy guy! Roughly everyone who works at the insurance company needs some access to their customers' information, so it has to be on the network. The IRS demands access too, so the insurance company has to connect it to the internet.
The notion of an operator-provided or operator-unlocked key is the way it used to work "back in the days" when every server had a monitor plugged into it. You would provide a password on bootup which was a mini-key to decrypt the actual SSL/TLS keys. It would get stashed in memory at that point and (hopefully) operator intervention wouldn't be needed again until the next scheduled reboot. Before too long, the threat of in-memory attacks far eclipsed the threat of physical server theft and this practice w
Re: (Score:2)
If it really needs to be exceptionally secure and you're dealing with a system that is constantly running, why not just keep any encryption keys in memory only where it's that much harder to get them and have them manually be entered by someone if the system needs to be brought down. That or use some module with the encryption baked in at a physical level to handle encryption and decryption. Yes, it's more expensive, but these systems are already hugely expensive and it makes it incredibly difficult for anyone without physical access to get at the actual data.
Is there some practical reason why it couldn't be done this way or something else that I'm missing outside of the obvious that there's another, cheaper way of doing things?
Putting the key alongside the data is a bad idea no matter how the key gets there. Finding it in RAM would be no different than finding it somewhere on the disk (assuming the disk approach is more complex than c:\config\crypto.key) so that's out. There are TPM solutions that can make it secure (storing the key in tamperproof memory, never releasing it, doing the encryption/decryption only at the request of signed binaries) but at this scale I don't know if the TPM can keep up or if doing it all on one clo
Re: (Score:2)
It's not a matter of "why not just" anything. Keys in memory just mean an attacker runs a memory dump once the system is online. Keys in a file means an attacker reads that file. All major database servers will use an encryption keystore to encrypt the keys with the credentials of the service account the database runs under. They're not plaintext files, they're protected as strongly as the service account itself. If this is set up properly, it means an attacker that can get at the key on disk you can a
Re: (Score:3)
There are a number of solutions to the problem. There are data protection appliances that can be integrated to databases or applications (via API) where encrypted data is sent to for decryption and available only in the result set; never written to disk in the clear. In this scenario, even root or dba don't have access to the sensitive data, unless authorized by the appliance. Another option, (becoming more popular) is tokenization. The sensitive data is replaced by consistent non-sensitive token values. Th
Re: (Score:2)
Tokens can also retain some of the original data. So if we tokenized SSN 123-45-6789, we could generate a token that kept the same last 4 digits, 541-30-6789. If customer support uses the last four digits of SSN to verify customers on the phone, they can now do it without being exposed to the real sensitive data.
While it is very common practice in the US to verify customers using the last 4 digits of their SSN, this practice is actually poor security.
If you know someone's place and date of birth, you can determine the first 5 digits. This is because SSN assignment was done by regional offices, each assigned a block from which to allocate SSNs.
Even though centralized SSN assignment is now used, vast numbers of US citizens were assigned their SSNs from the regional blocks.
Acronym usage (Score:4, Insightful)
Not saying this to be a dick. Saying it because the way you come across right now is as someone who takes pride in stuffing jargon in the faces of others.
Re: (Score:2)
Fixed the fix for ya both!
Re:That's why nobody sensible wants them (Score:4, Informative)
HIPAA requires all PHI to be encrypted when transmitted.
The hack got into the systems after the data is at rest. As are most data breaches. There are very few hacks from packet sniffing. (Our infrastructure tends to be using Switches and Routers, instead of the old Hubs, so there is less packets being spread to less than trustworthy areas)
If you were to encrypt the data a rest, where would you store the key? And if someone could gain access to that key you are in just as much trouble.
Better rules would be for systems that access PHI, to be off the Internet entirely. So you will have two networks. That are physically on different networks. One where you have the PCs that are hooked to the normal intranet and internet. Then one system just for PHI.
Now how do we send data from one institution to the next (say from the hospital to the insurance company) Then you will need a trusted point to point encrypted channel. Once the data is send, that point to point needs to be closed, and perhaps physically unplugged from the internet.
Re: (Score:2)
HIPAA? The Health Information Privacy Awareness Act?
Ahem, no, the Health Insurance Portability and Accountability Act. The name doesn't get at the parts of concern here, which are a number of privacy and confidentiality measures in Title II of the act, which sets guidelines on info systems that contain personal and/or medical data.
Re: (Score:2)
The trouble here is that there are HUGE fines for allowing PHI to leak out... but it's a tiny slap on the wrist to leak everything else. So whether it's true or not, this press release appears to be a bit of PR in hopes of evading the HIPAA penalties, or at least calls for HIPAA penalties, which at this magnitude would probably crush the company like a beer can.
It is truly time to pass two laws: 1) leaking identity info should be punished similarly to PHI, and 2) We need to move away from SSN as a credit i
Re: (Score:2)
there are HUGE fines for allowing PHI to leak out
Except that those fines are levied against the corporation, not the responsible people. While the corporation could recuperate that from the responsible people, it usually doesn't because the responsible people based their decision on advice from experts, then chose what sounded "good enough" while minimizing the implementation cost. So the blame gets transferred to the experts - the one for giving bad advice and the others for failing to adequately counter the one - who then get fired. Then the corporation
Re:That's why nobody sensible wants them (Score:4, Informative)
Encryption is not a panacea.
I'm in full agreement that sensitive data should be encrypted, but I've seen too many cases where encryption (even bad encryption) is an excuse for lazy and bad security decisions.
SSN is a bad "secret" for anything, given how simple and ubiquitous it is. The idea that shared secrets establish identity has been wrong for many years and it's just going to keep getting worse until we, as consumers, can make companies leverage public key cryptography for authentication.
Policies that require encrypting SSN at rest and PII in transit usually results in a database table with:
Name
Address
Date_of_Birth
Encrypted_SSN
That sounds like a step in the right direction, unless you consider that how easy it is to decrypt the SSN. On my laptop, it takes 62 seconds to go through every possible SSN using a script that took me less than 60 seconds to write. Add some time for doing an encrypt operation and lookup for each possible value, but it's clearly possible to brute force the entire SSN range on any computer in a very short amount of time. Ultimately, once someone can get access to the data, they can easily generate every possible encrypted SSN and match up actual value to what's in the table.
Real world example:
Cox insisted on having my SSN to get internet service through them. The last 4 of the SSN is used to confirm the user on the web site. They insisted that storing SSN on the internet was safe because it's encrypted. They really want the SSN to be able to track you down if you don't pay and skip town. Most of their customers aren't going to argue with them because they hear that encryption is magic. I eventually convinced a supervisor that their security is a joke and we agreed that my SSN would be in their system as 3.14159265, without the decimal point.
When people believe that encryption makes their data safe, it allows people to decide to make riskier choices with where the data resides. Encryption is a step in the right direction, but it's just one piece of the security puzzle.
Re:That's why nobody sensible wants them (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3)
They do NOT get a free pass. They contribute heavily to PACs!
Re: (Score:2)
A few of my friends were in the US military. Based on things they said at various times, my understanding is that commanders have a lot of discretion when prescribing punishment. In many cases, purely administrative discipline can be sufficiently obfuscated that it has no long term - or even medium term - effect.
Incompetent IT in a health care industry? (Score:5, Insightful)
The hell you say! I'm sure all that money they saved not building an adequate infrastructure is much more than this breach will cost them. Oh, wait...
Front office workers doctor's office (Score:2, Insightful)
When I see a new doctor, they always demand a SS# along with all of your personal information.
And when I tell them that I am uncomfortable with it, I always get a stern and rude demand. Any explanation of how insecure medical is - those people email and fax that information willy nilly - I get this "I'm full of shit look."
I hope those people get their identity stolen and their credit ruined so they can learn a lesson.
Re: (Score:3)
SS# isn't a demand from the Dr. but from the Insurance Company... Yell at them for requiring it.
Also of a note. Your doctor probably has a patient list of around 25,000 people. That he must record and track by law. The SS# is one of the easier ways to insure you have the correct patient matched in the system. Bigger institutions can work around it, ones with a large IT Staff. But the small Dr. Office is quite limited, and subjected to the whims of the vendors.
Re: (Score:2)
" Your doctor probably has a patient list of around 25,000 people."
Thats a huge practise for just one doctor. Even for a GP
Re: (Score:2)
Small practices usually range 5,000 - 40,000 patients. 15,000 patients per doctor. I have done a lot of practice data conversions, those are the numbers I tend to see.
You have the following calculation.
Normally about 50% of the visits are from new patients.
8 hour day, with 10 minute intervals. for 5 days a week for 50 week. That is 6000 patients. They will need to keep 4-5 years of data on the patent. So we go up to 25,000 range.
Now we have variances based on specialty, and level of care, but 25,000 for
Re:Incompetent IT in a health care industry? (Score:5, Informative)
Working in Health Care, the issue is much harder then you think.
We have conflicting rules and regulations that we must follow.
We are by law demanded to keep our data safe, at the same time, we need to share it with others (Insurance Companies, Legal Cases, Governments, individuals, competing health care professionals) at a whim. Complex rules for what is acceptable and not are in place, meaning there is an IT Infrastructure that is older, because it contains an organic set of rules. Dumping the old systems for new ones that are more secure are a major undertaking.
Even with a skilled IT Staff larger then most organizations it is nearly impossible to keep up with all the changes required by law, and focus completely on security. Putting in a code freeze until we get security fixed cannot happen.
Re: (Score:3)
Re: (Score:2)
It's almost always a lack of will to spend the money required or accept the pain necessary and NOT technical feasibility. If you build your systems to the strictest of standards or beyond, then you are by default in compliance with the rest.
Doing things "right" almost always gets hamstrung by the dollar figures required or by "business" push-back. "Do we really need to install IDS/IPS equipment in every little branch network we have?" Yes, yes you do if you want to prevent and catch breaches early. "What do
Re: (Score:2, Funny)
I would suggest that security should be the top priority ahead of everything else.
This to a country (world, really) where Windows in the dominant desktop OS?
BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA!
Re: (Score:3)
I'm not going to knock windows as for all it's faults, it has been easy enough to use that any idiot can own a computer.
That said, i have met these idiots personally. I caught one walking around trying to plug an RJ45 into every phone outlet (RJ11) he could find. He thought it was the network.he was trying to connect his laptp to the network because it had several virus' and he wanted the company anti virus to remove them. I caught another trying to disable the firewall. Someone in a chat room gave her a p
Re: (Score:2)
The worst part is that these people vote for the people that lead my country.
Re: (Score:2)
I would suggest that security should be the top priority ahead of everything else.
I would rather they have patient care as their number one priority. Their focus should be the health and welfare of patients, because if they don't, people literally die. If it comes down to doctors spending their time treating patients and nurses double-checking medicine doses versus keying in lengthy crypto sequences on their tablet and meeting with IT vendors -- I would much rather they choose the former.
Re: (Score:2)
I wasn't saying ALL of health care should focus on security, I was saying health care IT should. Part of that focus should be determining where the compromise point between security and convenience lies.. and in a HIPAA environment, security wins if there's a conflict.
Yes, there will be some inconvenience. That's not avoidable with increased security. Minimizing it is key to ensuring compliance. If the nurses bitch because they have to enter a password where they didn't before, well, tough shit. Part o
Re: (Score:2)
I would suggest that security should be the top priority ahead of everything else.
80 Million? (Score:5, Insightful)
Re:80 Million? (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
But i put it in the shoe box with all the other important stuff. It was lost when our house was robbed or caught fire last month.
A lot of things happen to a lot of people. Its not always their stupidity.
Re: (Score:2)
Credit reporting agencies are RICO (Score:3)
The better way to fix this is to require strict liability to the Credit reporting agencies. If they put data in your credit report that is false, If they link you to debt that you actually didn't take out, then they have unlimited liability to damages to you plus statutory punitive damages.
The hell, if when they come and sell me credit protections services isn't extortion i don't know what is.
"Nice credit score you have. It would be a shame if someone stole your identity and messed that up so that we
income data? (Score:4, Interesting)
Re: (Score:2)
Marketing demographic information most liklely. It doesn't say how accurate or what the source of that portion of the data is.
Like many companies, my company has various different methods that we obtain leads. We automatically run every lead through a service to obtain demographic information about the email address that can tell us household size, residence value, own or rent, income, education level, field of employment, interests, age, etc. All those go towards scoring the lead as it relates to our targe
Re: (Score:2)
Marketing demographic information most liklely. It doesn't say how accurate or what the source of that portion of the data is.
Like many companies, my company has various different methods that we obtain leads. We automatically run every lead through a service to obtain demographic information about the email address that can tell us household size, residence value, own or rent, income, education level, field of employment, interests, age, etc. All those go towards scoring the lead as it relates to our target market.
While a data breach is a data breach, if it's somewhat public information or otherwise readily available from any number of other sources it's not like the damage from having income information is catastrophic.
In this case, it was one less step the miscreants have to go through to grade each record set for sale on the black market. No doubt they are going to (or already have) sort by income descending, break them into nice 100 ID chunks, and sell them to the highest bidder.
Re:income data? (Score:5, Informative)
Why is a healthcare insurance provider collecting income information on the people they insure?
I've worked in employee benefits for over 25 years, and the usual reason is that they are administering more than your health insurance. Often you also have short-term and/or long-term disability insurance, or life insurance. The benefits of these are based on some percentage of your salary. Your short term disability benefit may be 60% of your salary, or your life insurance benefit may be 2 X salary.
In all my time working for insurers like Anthem I have never been asked to pull salary data for anything not related to the above.
Re: (Score:2)
Re: (Score:2)
Monetization of data. All big companies do it. They collect as much data as possible and then sell subsets of data (perhaps anonymized) to 3rd parties, or they may provide roll-up analytic reports to third parties... Stuff like:
I want to build a for profit practice that specializes in cancer treatments. What part of the country am I most likely to find a high number of cancer patients who make enough money to afford what I want to charge for my services?
I buy a service from a data analytics company, they ha
Re: (Score:2)
Credit score and income level are two key indicators on how high your rates will be, and how much government assistance you will get.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
SSN as an ID not password (Score:5, Interesting)
Re: (Score:2)
The silly part is that knowing an SSN and a few other pieces of publicly available information is enough for someone to grant credit, and then for collections of such credit to be enforceable in court against the supposed borrower.
Re:SSN as an ID not password (Score:5, Informative)
Re: (Score:2)
The issue you are talking about is not exactly right. SSN is an ID .. that is a fact. ID's are never, ever, supposed to be secret. They are in fact supposed to be public so we can discern whom is who. However what you are railing against is the proof of identity, which is a separate issue. For example, knowing someone's SSN should not be proof of identity. The issue is that banks/insurance companies/etc. are using insecure practices when it comes to establishing proof of identity.
Re: (Score:2)
Free credit monitoring! (Score:4, Funny)
Badum-tish! (Score:4, Funny)
And no consequences? (Score:4, Insightful)
Sadly, in the absence of data protection laws which makes corporations liable for this, this will continue.
Unless companies carry a real cost for failing to secure this stuff, they'll continue to treat this as an afterthought.
But apparently forcing corporations to not be clueless and careless idiots would somehow be a bad thing.
Sorry, but if you need to have private information like that, you need to be accountable. If you aren't going to make companies accountable, don't allow them to have the data in the first place.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
I'm not sure more laws will help. The health industry is already under tons of laws like HIPAA and this still happened. I also believe that past some reasonable point, more and more regulations make people who do the actual work in the field (doctors in this case) resentful about their jobs.
Re: (Score:2)
names, birthdays, medical IDs/social security (Score:3)
At companies and agencies handling such data, _all_ kinds of data leaks or thefts should be treated as criminal offenses and they should be punished, I mean really punished. If you can't handle the protection of the data, don't handle them in the first place.
While I also consider the thieves to be criminals, I'm more angry with those, who simply are inept to protect their best assets, even more so since they have the money, manpower and resources to do so.
Also, I'd like to see a national blacklist established, with all companies and agencies on it, who had similar massive data breaches, and made publicly available, so as everyone could judge and decide whether they'd like to entrust their data to such idiots.
Notice is 2 Months Late (Score:5, Interesting)
Its nice that they notified us today that our information was breached, but the real question is why they didn't notify us sooner.
They setup a specific website about this breach.
http://anthemfacts.com/ [anthemfacts.com]
The problem to me is that they just now notified us, yet they registered the domain for the breach on 2014-12-13. Which goes to show that they knew about the breach nearly 2 months (or possibly more) before deciding to inform us.
Re: (Score:2)
Because as any good Security person knows, you have to follow the trail, and find as much information as possible about the hack. Notice they did not say a lot about how it was done, and they cannot even tell what was taken. They need time to work on that, and that is why they hired a digital forensics company to do that. They were required by law to disclose after a certain time frame (2 months), so they did. Otherwise they would have sat on this so they could answer every person's question properly an
Re: (Score:2)
The website didn't exist 2 months ago.
The wayback machine shows no record of it until today.
According to the DNS history, the domain seems to have been parked until they updated the DNS yesterday.
Google shows no mention of this domain by Anthem or anyone else until today.
Anthem specifically says they setup this dedicated website for the breach information.
All that would point you to that this domain was setup for this breach.
Re: (Score:2)
You just circled back to my point. I could care less about their need for a PR campaign to spin it which ever way they think is best. That is still 2 months that the hackers would have had our data to abuse, and Anthem leaving you completely unaware that you immediately need to start monitoring your credit.
Can they tell us what did work out good? (Score:2)
Swedish said the breach is extensive: the vulnerable data included "names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data," though "no credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised."
Security was breached, personal information was stolen, but no CC or medical information. Can they tell us what prevented the theft of medical information? How can that information be used to prevent the future theft of data with other companies? Using the same methods, could it protect things like employment info and income data? Can systems be designed to be more bullet proof?
My first guess is that the medical information was on different servers, maybe at different locations, and access to those systems
What was the attack vector? (Score:3, Interesting)
Not just individuals at risk (Score:3)
I was hit by Countrywide and Target breaches too (Score:2)
But Your Credit Card Data is Safe (Score:2)
whew! (Score:2)
though "no credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.
Whew... what a relief! I was really worried there for a minute...
why and how do they have income data? (Score:3)
How did they get it in the first place? Probably through my employer of course.
Of course, they do not even acknowledge it on their FAQ any more, that was quickly removed.. Now it only says "employment information".
i'm probably one of these 80MM (Score:3)
By now my SSN must have been stolen several times from several different organizations that simply did not do their jobs properly. If there are consequences of this breach for me and I sue Anthem they'll just point to any of the many other ways in which my PII has been mishandled as a reason to dodge blame. Everyone uses the SSN, even costco asked for my SSN to join (I refused, but I bet there are many who didn't).
The change has to be in the meaning of the SSN, If the government wants a unique numeric name for any individual I understand, but it's not the same as proof of ID. Proof of ID needs to be either something biometric or something to do with your relationships to other people (but then, Anthem gave away as much of that as they possibly could too).
Massive HIPPA violation (Score:2)
"Someone's gonna kiss the donkey." -- Battleship
Re: (Score:3, Insightful)
Grind your axe somewhere else. You don't like the ACA? Write your congressman. Fuck off.
Re:Thanks Obama (Score:5, Interesting)
Re:Thanks Obama (Score:4, Interesting)
Well, that's democracy in its current form for you. In 2010 the GOP got to re-draw congressional districts, and they gerrymandered them in such a way that anyone other than a staunch right-wing Republican will never ever get elected. You could run Jesus against the GOP candidate and it would be close.
Re: (Score:3)
and they gerrymandered them in such a way that anyone other than a staunch right-wing Republican will never ever get elected
You mean, like the Democrats have done forever in places like Maryland? The way they've tortured the district boundaries in that state is a showcase for craven political monoculture at the state legislature level. That even Marylanders got so sick of the lefty power plays that they refused to coronate the dem governor's anointed successor and went with a relatively unknown Republican in November is pretty telling.
Re:Thanks Obama (Score:4, Insightful)
Yes, the behavior is totally defensible because the other side does it as well.
Except, you know, not.
Re: (Score:3, Insightful)
Its not just naked hypocrisy though. The situation is more like you have a gun on someone, who wants you to put it down; but you are like 99% certain the moment you do they are going to run over pick it up and point it at you.
Dems have use gerrymandering in the past, they would again if positioned to do so; or resort to some other dirty trick like trying to limit corporate donations while leaving the door open for unlimited union contributions. Or for that matter attaching a major heal care overhaul to th
Re:Thanks Obama (Score:5, Insightful)
Yes, the behavior is totally defensible because the other side does it as well.
This coming from the person that (a) was the one that brought up gerrymandering, (b) only mentioned the GOP, and (c) vilified the GOP.
A very consistent thinking process you have. You will slam them publicly when the GOP does it, but you will also make every attempt to avoid saying that the DNC is also doing it.
When confronted with your hypocrisy you shrug it off and again make sure to not directly say that the DNC is also guilty but instead say "the other side."
Intellectual honesty is only intact when its from start to finish. When it isnt from start to finish, you are just a partisan asshole.
Re: (Score:2)
Re: (Score:3)
So both sides are doing it, but you only want to vilify the GOP for doing it. Is that about right?
Yes. Gerrymandering by the Republicans and gerrrymandering by the Democrats are not the same. The Democrats started it (Gerry was a Democrat) but the Republicans are much better at it. There are plenty of geographic regions that are more than 90% democrat. These are mostly urban areas with large minority populations. But if you go to the reddest of the red states, say some rural county in Utah, you will find that it is only about 70% Republican. Democrats are just inherently more concentrated, and it
Re: (Score:2)
I wasn't vilifying anyone. Nowhere in that statement did I refer to the GOP, or indeed any particular organization, person, or group. I was making a statement that bad behavior is bad behavior, even when everyone does it. Gerrymandering is hurting our country, and that's gerrymandering both by the GOP AND the DNC.
Now I'm going to vilify someone: Your bias and knee-jerk politics are showing. You're seeing persecution where none exists. I bet you're a fundie, too.
Well, that's democracy in its current form for you. In 2010 the GOP got to re-draw congressional districts, and they gerrymandered them in such a way that anyone other than a staunch right-wing Republican will never ever get elected. You could run Jesus against the GOP candidate and it would be close.
Try again, dipshit.
Re: (Score:3)
So it's so gerrymandered towards Democrats a Republican got voted in....yeah seems legit.
You're (deliberately, no doubt) confusing congressional elections with gubernatorial elections. That you're even putting forth an opinion on the matter while being (or pretending to be) that clueless is pretty funny. Or would be, if it wasn't clear whether or not you vote using that same brain.
Re: (Score:2)
Interesting notion, since congressional districts are drawn by STATE governments, and the GOP didn't (and doesn't) control all State governments.
Then, it has to be vetted by the Justice Department. You remember that one, it's run by Eric Holder. And Obama is Holder's boss, not the GOP.
Re: (Score:3)
The GOP controls enough state governments to put them in a majority in both houses of Congress, despite their unpopularity with the general population. Whether it's the national org or the state ones, it's still the same thing. The state parties do what the national party tells them, more or less, lest they find themselves primaried.
Justice is supposed to follow the law, not make decisions based soley on politics. If there were something illegal or unethical in the re-districting that they could make a c
Re: (Score:3)
Not that political parties up here in Canada don't pull self-serving stunts, but how the US has allowed the architecture of its electoral system to become part of the partisan machine boggles the mind.
Re: (Score:2)
Re: (Score:3, Insightful)
What, you weren't buying medical insurance before Obamacare? I find that hard to believe...
Re: (Score:2)
Hard to believe someone wasn't handing their money over to a private company because the government told them they had to, isn't it? Imagine that, someone taking responsibility for themselves rather than being forced to pour their money down a black hole just to make sure some CEO gets their bonus.
The mind wobbles.
Re:Thanks Obama (Score:4, Insightful)
So, you've got a 100k of disposable income sitting around just in case you had to say in the hospital for a week? Well, good for you, but I don't want the likes of you setting public policy, you know.
Re: (Score:2)
Yes, I do have that much money available but I'm not the one forcing people to hand over their money to a private company.
If someone WANTS to do so, that's fine, but the government telling people they MUST hand over their money, at virtual gun point, is not the way to go.
Considering how adamantly opposed to the government sticking its nose into people's personal lives and the rantings against corporations, it sure is funny how you folks have managed to laud and support both the things you despise.
Re:Thanks Obama (Score:5, Insightful)
Its selfish to not want to be told by someone else what to do?
It's called civilization. If I want to masturbate in public, or kill people, or be a pedophile, or be a cannibal. Or steal from my neighbors and sell their stuff on ebay, or force my neighbor's wife to have sex with me. I'm not allowed to do those things, It's an infringement upon my freedoms. I am not free to do any of those things without societal repercussions. And I agree with punishments for those things. People should not have the freedom to do those things.
We are a whole lot less "free" than some of us think.
It is the people that think they have an automatic right to tell others what to do that are selfish. This seems to be a common theme in politics today, where a group guilty of something like being selfish, label those that oppose them with what they themselves are actually guilty of.
Read this
http://talkingpointsmemo.com/l... [talkingpointsmemo.com]
Now let's discuss.
Okay, I am certain that washing hands after using the toilet is one of those selfish things that intrude upon freedom. It actually is a restriction. If I have to do something, I am not free from doing exactly as I wish. I am restricted from my freedom to get my coliform bacteria laden shit on people's food. And senator Sen. Thom Tillis (R-NC) agrees with that.
Do you? Is fundamental freeddom do whatever you feel like doing so sacrosanct that you would be willing to allow your child to die with their internal organs destroyed be a massive e coli infection just so someone doesn't have to wash their hands? Even if we're not in "Think of the Children mode", are you willing to die because an employee enjoys greater freedom to
He is fine with that. And his other bit of batshit crazy supidity was that he supported restaraunts having to put up a sign saying they didn't require employees to wash their hand after a steaming hot crap. if they don't want to require their employees to have to wash their hands.
Which of course is a regulation, and regulations are bad, and it infringes upon the freedoms of the owner of the restaurant. I is the final answer "Eat Shit and die, it's the way of freedom"?
This is the problem when Libertarianism gets married to Fundamentalist Republicanism. We end up making insane statements. Probably very few people want to eat fecal matter. It's been a known disease vector for a long long time. But when you decide that every law and regulation is an assault upon your freedom, and therefore evil, you get stuck in a potatofest of having to support insane ideas like a complete abandonment of basic hygiene, with Two Girls, One Cup notwithstanding.
It is not selfish to want to avoid other peoples tyranny. You dumb fuck.
Meh, Define that tyranny? Is it being required to wash your hands? Is it not allowing you to kill anyone you feel like killing? Not being allowed to have sex with your daughter? All are societal restrictions on your freedom. You would be much more free if you could do any of those things, without society judging or impeding you.
This is where all of the faux libertarian arguments fail. Everything a litmus test, and when hoist by your own petard, you end up having to make up things like requiring employers to put up sighns that only violate your own litmus tests. There is no civilization without restrictions on behavior. The faux libertarian world is nothing more than modern day crypto-anarchy.
And you calling me a "dumb fuck" is just illustrative of every conversation I have with faux libertarians. All insult, no content.
Info is accessible to hosptial, IRS, state, billin (Score:2)
Under the current set of regulations, the information needs to be accessible. The insurance company has to access it, of course, as well as partners like billing and collection companies, doctors and hospitals query the system, and to enforce ACA the IRS needs access, the state exchange you bought it through ... Probably three more types of entities I'm not thinking of off the top of my head. I'd bet there are at least a dozen different government agencies involved with ACA who can query your information.
I
Re: (Score:2)
If the IRS, the insurance company, the hospital, the state, and the billing company can read the data, the bad guy can read it too. The data may very well be encrypted on-disk, so if someone stole the hard drive they couldn't easily read it. It has to be decrypted by the system, though in order to be useful.
That isn't really true. A well-designed system (they do exist) would leave the decryption to a dedicated security module, separate from where the data is stored. To gain access to the data you first establish a secure connection to the data store, authenticate yourself, and retrieve the encrypted data. You then connect to the security module, re-authenticate, and present the encrypted data along with a (crypographically signed) request for decryption. The security module logs and validates the request, decr