Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Privacy Data Storage Education Security News

Break-In Compromises 160k Medical Records At UC Berkeley 167

nandemoari writes "Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk. According to UC Berkeley, computer administrators determined on April 9, 2009 that electronic databases in University Health Services had been breached by overseas criminals. The breakins began in October 2008. Information contained on the breached databases included Social Security numbers, health insurance information, and non-treatment medical information such as records of immunization and names of treating physicians."
This discussion has been archived. No new comments can be posted.

Break-In Compromises 160k Medical Records At UC Berkeley

Comments Filter:
  • Old Story (Score:5, Informative)

    by Plekto ( 1018050 ) on Tuesday May 12, 2009 @01:05PM (#27924107)

    http://www.wired.com/threatlevel/2009/05/uc-berkeley-suffers-breach-of-student-health-data/ [wired.com]

    The email informing students of the breach was sent on May 8th. It was all over the news last Friday.

  • Re:And... (Score:2, Informative)

    by NoStarchPlox ( 1552983 ) on Tuesday May 12, 2009 @01:18PM (#27924313)
    The information wasn't accessible through the public site. The problem was that the server compromised through the public website also contained the private databases.
  • Re:Duh.. (Score:5, Informative)

    by v1 ( 525388 ) on Tuesday May 12, 2009 @01:36PM (#27924583) Homepage Journal

    The next battle, as I understand it, will be trying to sign up for an iPhone without giving an SSN. I've heard it can be done, but, sometimes take a number of tries before finding the salesperson/mrg that will do it.

    It's got to do with a credit check. You need to surrender your SSN for the normal credit check, and they use the results to determine your deposit. Very few companies will do an alternate (less informative/reliable) check that does not require your ssn.

    Without the credit check, you can still get a phone, 100% of the time. You will just have to pay a very large deposit, the largest possible for people that have horrible credit. Anyone that tells you that your ssn is required to get an iPhone is out of touch with reality.

    This is true of any of the places that are not authorized by law to require your ssn. So same applies to the others that are often brought up, such as utilities, and pretty much always applies to calculation of a deposit or interest rate.

  • Re:Auditing Logs (Score:3, Informative)

    by Culture20 ( 968837 ) on Tuesday May 12, 2009 @01:51PM (#27924811)

    Part of my daily duties as a systems administrator was auditing connection logs for odd behavior. Don't admins do that anymore?

    A lot of that is left up to parsing scripts, interns, or just ignored. Plus, "Odd" is relative. If one of your people is overseas in China, and his VPN account logs in from China IPs at odd times of the day, it could be normal. Until it logs in twice at the same time or after he comes home, you won't notice.

  • by darkdaedra ( 1061330 ) on Tuesday May 12, 2009 @02:13PM (#27925131)
    I got the e-mail -- I was a student there at the time. It wasn't the medical records that were compromised, just the SHIP (student health insurance plan) waiver application data that was stolen. Those waivers included SSNs. It's more of a credit/identity theft issue than a medical record issue -- unless of course identity thieves were using that information for health insurance applications, which is, I guess, a real possibility.
  • Re:Old Story (Score:2, Informative)

    by jggimi ( 1279324 ) on Tuesday May 12, 2009 @02:23PM (#27925285)
    Yes, but the most interesting part of the story is at Berkeley's website [berkeley.edu]. They were entirely unaware of the intrusion until the "highly skilled" intruders, having had their way with Berkeley's system(s) for eight months, "...left messages on the server."
  • Re:Old Story (Score:3, Informative)

    by Jazzer_Techie ( 800432 ) on Tuesday May 12, 2009 @02:46PM (#27925647)

    Here is the text of the email that was send out to the Berkeley community.

    We want to let you know that today the campus is sending notification letters and emails to members of our community to inform them of a computer breach that resulted in the theft of personal information from databases in our University Health Services, UHS, area.

    The victims of this crime are current and former students, as well as their parents and spouses if linked to insurance coverage, who had UHS health care coverage or received services. We are also sending notification letters to Mills College students who received, or were eligible to receive, healthcare on the UC Berkeley campus.

    We sincerely regret and apologize for any difficulty this theft may create for individuals who may have had their personal information exposed. We have alerted campus police detectives and the FBI, and are doing all that we can to investigate this crime. All of the exposed databases were immediately removed from service to make sure that they would be completely protected from any future attacks.

    Those individuals directly affected by the theft will receive letters with detailed information on steps that they can take to protect their credit and identity. We have launched a dedicated web site, http://datatheft.berkeley.edu/ [berkeley.edu] that contains detailed information for affected individuals, the media and the general public. In addition a Data Theft Hotline, 888-729-3301 will be operating 24 hours a day, 7 days a week to answer questions from affected individuals.

    UC Berkeley computer administrators determined on April 21 that electronic databases in UHS had been breached and data stolen by overseas criminals. The databases stored personally identifiable information used for billing such as Social Security numbers, and non-treatment medical information such as immunization history, UHS medical record numbers, dates of visits or names of providers seen, or for participants in the Education Abroad Program, certain information from the self-reported health history.

    Please be assured that UHS electronic medical records, which include details of patients diagnoses~, treatments and therapies, are stored in a separate system and were not affected in this incident.

    To ensure that we fully understand the nature of the security breach and to determine the steps that we can take to minimize the risk of a reoccurrence, the university has hired an outside auditor, Price Waterhouse Coopers, to support our ongoing investigation of the incident. The campus is committed to implementing recommendations that address the root causes of this security breach.

    Steve Lustig
    Associate Vice Chancellor
    Health and Human Services

    Shelton Waggener
    Associate Vice Chancellor & CIO
    Information Services & Technology

  • by broen ( 1197939 ) on Tuesday May 12, 2009 @05:05PM (#27928183)

    Are you serious? They're not trying to save a few bucks on the support staff -- that's what students are for. They have a large number of international employees because they hire researchers, lecturers, and professors from overseas to promote the exchange of ideas across cultures. Since that is, you know, the entire point of a university.

    It is you that should be investigated for criminal dipshittery.

"I prefer the blunted cudgels of the followers of the Serpent God." -- Sean Doran the Younger