Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security

SAIC Loses Data of 4.9 Million Patients 182

An anonymous reader writes "Government contractor SAIC just can't seem to get a break. Still fresh off of the Citytime scandal, they've now had a data breach in which backup tapes holding 4.9 million personal health records were stolen from an employee's car. To add insult to injury, evidently the tapes were not encrypted either: 'Tricare did not indicate whether SAIC encrypted the information on the stolen tapes, but Raley said, "It's very hard to encrypt a backup tape."'"
This discussion has been archived. No new comments can be posted.

SAIC Loses Data of 4.9 Million Patients

Comments Filter:
  • LOL (Score:5, Informative)

    by afidel ( 530433 ) on Tuesday October 04, 2011 @01:42PM (#37602216)
    Hard to encrypt tape?!? Every LTO5 and most LTO4 drives support hardware AES encryption!
    • rot256 is for arbitrary 8-bit binary data.

      "rot256 - like rot13 but 19-20 times as much rot!"
      - rejected slogan, rot256 working group

    • by cjb658 ( 1235986 )

      Maybe there's a patent for encrypting patents.

    • by mlts ( 1038732 ) *

      Bingo. For basic encryption, I logged onto the tape silo, typed in a passphrase, enabled encryption, and called it done. Transferring the key via SPIN/SPOUT to the drives does the rest.

      If I wanted better encryption, I can use a key management system, changing out keys for written tapes, but yet keeping them on the appliance for reading. Of course, a backup of the keys are made and stored.

      Even without LTO's built in encryption, every modern backup program supports some type of AES level software encryptio

    • From TFA:

      Raley is "director of healthcare solutions at IT integration and security company Axway" and the quote "very hard to encrypt tape" is attributed to him, not SAIC.

      SAIC has not said if the data was encrypted on the tapes or not.

      If you use Axway as a vendor, you should fire them.

    • Hard to encrypt tape?!? Every LTO5 and most LTO4 drives support hardware AES encryption!

      I think he may have meant one of two things...

      1) He was thinking about encrypting tapes when they are already outside of the system. If an employee wanted to remove them from the secured facility, then how would he encrypt them in place without disrupting the production system?

      2) He may be looking at it from their internal point of view. They probably have a large, old, proprietary, expensive system (what else in a government operation?) that doesn't support encryption and is not easily upgraded without a

  • Seriously?

    What kind of knuckle dragging moron can't figure out how to encrypt the data stream they're backing up?

    • Seems to be that it was an ignorant attempt at sarcasm, as in "How do you encrypt plastic?" Clearly he's the kind of knuckle dragging moron that shouldn't be making statements regarding the topic at hand.
    • Lol, this guy took the tapes out to his CAR, would you feel ok walking around with your companies database in your briefcase?

      I wouldn't, I'd VPN in to grab it, not carry it, and I'd make sure I'm using a hardened windows to do it too. That kind of liability can really put a kink in somebody's day.

      This fine gentleman though, not only removed the tapes, he put them in his car.

      Now with that thought pattern do you REALLY expect him to know about encrypting tapes?

      Some people just shouldn't be allowed to be arou

      • by dave562 ( 969951 )

        Lol, this guy took the tapes out to his CAR, would you feel ok walking around with your companies database in your briefcase?

        I have to take drives to and from the data center with confidential and sensitive data on them. They are TrueCrypted with strong pass phrases, but just having the data in my possession makes me hesitant to go anywhere other than directly to/from the data center and office. Stop at Starbucks? No way! What if someone steals the drive during the 5 minutes it takes me to get my coffee

        • by Bucky24 ( 1943328 ) on Tuesday October 04, 2011 @03:00PM (#37603400)

          When was the last time we read a story, "Iron Mountain lost backup tapes uber confidential data."??

          Every time that happens they kill all the witnesses. So no one ever knows...

          • by dcsmith ( 137996 )

            When was the last time we read a story, "Iron Mountain lost backup tapes uber confidential data."??

            Every time that happens they kill all the witnesses. So no one ever knows...

            Taking security through obscurity to a new level.

          • Since the first person to witness the crime would the thief, I'm actually OK with that....
        • When was the last time we read a story, "Iron Mountain lost backup tapes uber confidential data."??

          Based on a quick search, at least as recently as 2009. And then 2008 before that. And 2007, 2006, and 2005 (twice) before that.

          http://datalossdb.org/organizations/128-iron-mountain [datalossdb.org]

          We use Iron Mountain and they're generally good (and the local warehouse is only a couple of miles away), but it's still a good idea to encrypt any tape that leaves the facility, whether or not it contains personal data. A system

          • by dave562 ( 969951 )

            it's still a good idea to encrypt any tape that leaves the facility, whether or not it contains personal data.

            Agreed. Encrypting the backup is standard practice. Or at least it should be if the admins are competent at what they do.

      • by Seedy2 ( 126078 )

        Unfortunately there are id10ts out there (typically upper management) who once heard the phrase offsite backup from one of their golf buddies, and thought it meant "have the IT staff take the backup home with them, in case there's a fire". Continuing with some variation of: "Besides, if we need something restored they can get it back faster than iron mountain"

        The hours I've argued...

        • by seifried ( 12921 )
          Well: Google says... [google.ca] "Iron Mountain has lost a backup tape belonging to GE Money with approximately 650,000 JC Penney customer records on it, and 150,000 of those records include customer social security numbers." Among others.
          • by Seedy2 ( 126078 )

            Not claiming they are perfect, just saying the not-so-well-thought-out "additional measures" are less than helpful, as a rule. :)

      • you'd VPN a few LTO5 tapes, wow, I would like to have such a nice internet connection....

      • by Hatta ( 162192 )

        Never understimate the bandwidth of a briefcase full of LTO tape. If it's encrypted, it should be absolutely no problem physically transporting the backups off site yourself.

        Don't get me wrong, this guy is an idiot. But the fact that he had backup tapes on his person, in his car, is not evidence for that.

        • If it's encrypted, it should be absolutely no problem physically transporting the backups off site yourself.

          Which reduces it to a problem of securely transporting the key.

  • And most of the big vendors and even many free software systems support key management. So no, it isn't very difficult. You just have to give a shit.

  • by Oxford_Comma_Lover ( 1679530 ) on Tuesday October 04, 2011 @01:43PM (#37602242)

    Yeah, encrypting a backup tape might take another hour or two to configure... not at all reasonable overhead for 4.9 million patient records

  • What's the probability that someone breaks into your car and steals computer tapes?

    • Re:Espionage? (Score:4, Insightful)

      by Nkwe ( 604125 ) on Tuesday October 04, 2011 @01:46PM (#37602284)

      What's the probability that someone breaks into your car and steals computer tapes?

      Maybe not as high as an employee selling the tapes and claiming that they were stolen.

      • by N8F8 ( 4562 )

        I had a similar thought. Highly suspicious.

        • Why would an employee that has access to the data steal the tapes and not make copies.Esp with all the attention even saying the tapes were stolen would cause. "Never attribute to malice that which is adequately explained by stupidity"

          • If a copy is found, it may be possible to determine when the copy was done and by whom. E.g., "Suzy's record was added on the 3rd and Bobby's was added on the 4th. This copy has Suzy's record but not Bobby's, so the copy must have been taken on the 3rd. Who did the backups on the 3rd?" By saying the tapes were stolen, it's much less suspicious if a copy is found.
          • by dave562 ( 969951 )

            Depending on the environment, it is very easy to detect a copy operation. Due to the sensitive of the data we deal with, we have controls in place. Every time a drive is attached / detached from the server it is recorded. Internet connectivity is prohibited. ACLs on the servers prevent mounting remote file systems, and even if they could be mounted, the mount would be logged.

            In my environment, it would be much easier to "lose" a backup tape than to simply copy the records. Of course, that is not entire

      • by mlts ( 1038732 ) *

        Any firm that doesn't have a chain of custody of tapes is failing ITIL 101.

        For example, on premises, tapes should be either sitting in the silo, inserted in a tape safe [1], or in the blue containers with a seal on them waiting for the IM van.

        Not rocket science here. It is disappointing seeing organizations not follow this.

        [1]: Businesses need an on premise tape safe. This is less for security (since the safe should be located fairly near the data center, and behind locked doors), but for protection in c

    • Yeah, I was thinking that either they're covering up some other incompetence or this was an inside job. I'm inclined to think that someone knew those tapes would be in that car at that time. But then there's Hanlon's razor, never attribute to malice that which is adequately explained by stupidity. And this was pretty stupid.
    • I'd say there's 99.9% chance that the thief didn't know what they were grabbing. Break a window, grab any bags or boxes you see and get out of there is how most operate. Of course, there's a 0.01% chance that the thief knows exactly what they were going after and has been casing the mark for weeks waiting for the right opportunity. And then there's a the overlap of maybe 10% that didn't know when they grabbed it but are completely away of it by now, either through media reports (not that the media should

      • I suppose, but who's going to steal tapes without knowing what's on them? Without more information it's hard to say, but it's a lot less likely that a smash and grab is going to be triggered by seeing tapes, unless the thief has some idea what's on them.

        Laptops OTOH, I totally see how those would be stolen by somebody not knowing what's on them.

    • What's the probability that someone breaks into your car and steals computer tapes?

      If they're sitting in plain view? Somebody busted my window to steal less than a dollar in change that was sitting in the center console. And that was in a car that was already missing the radio because of a previous break-in.

  • by subreality ( 157447 ) on Tuesday October 04, 2011 @01:46PM (#37602280)

    It's very hard to encrypt a backup tape.

    I think I speak for everyone when I say: Fuck you, no it's not. I don't have any problems encrypting my personal backups even though I have nothing more private to protect than porn. You people are supposed to be professionals. Telling people their data is safe because it would require "special hardware and software" to read the tapes is pathetic. Get your shit together, sir.

    • by rk ( 6314 )

      I worked on a networked backup and recovery system and in the 1.1 version of our product, we integrated encryption both of the data streams from remote systems, and of the data on the tape itself.

      This was 10 years ago. If you bought recovery software from a competent vendor, it's not hard at all.

    • by mlts ( 1038732 ) * on Tuesday October 04, 2011 @02:23PM (#37602894)

      Nail. Head. Hit.

      "special hardware and software" gets me...

      A LTO-5 drive and access to GNU tar or cpio is an alt-tab away for a number of IT people.

      • Sledgehammer. Head. Hit.

        At least, that's how I'd like to react to an organization whom I'm paying (indirectly via my taxes) failing in their legal requirements to keep this data absolutely secret. And in a way that is obviously stupid: They had no business storing things unencrypted on a backup tape, and no business having their offsite backup solution be "stick it in the back of somebody's car". I'll put it this way - my organization deals with information far less important than that, and we treat our bac

    • require "special hardware and software" to read the tapes

      Eh, technically it does. You could also say that a CD requires special hardware and software to read. It's just that the hardware and software in question is fairly easy to obtain...

  • by idontgno ( 624372 ) on Tuesday October 04, 2011 @01:46PM (#37602282) Journal
    Did you just say ""It's very hard to encrypt a backup tape."? In public? Out loud? With a straight face?
    • by jd ( 1658 )

      After their competitor, CSC, walked off with a few billion from the UK in exchange for vapourware, saying that with a straight face would have been almost easy.

  • Now, I dont know anything about tape drives, but how can it be difficult to do the encryption?

    Simplest process would be to just zip them up with 7-zip, split into archives the size of the tape and apply a password to it.

    May not be the strongest security, but still better than nothing
    • Backup processes are typically automated and do not use 7-zip, but instead use backup utilities that cost $$$ like NetBackup. Most enterprise grade backup software can utilize software encryption for the backups. Tape drives can do the same on the hardware side if you bought the feature. Besides offloading the encryption algorithm to the tape drive, it also opens the door for storage deduplication for the volumes holding the disk based backups (encryption would obfuscate the data in the blocks rendering
  • by Smallpond ( 221300 ) on Tuesday October 04, 2011 @01:52PM (#37602370) Homepage Journal

    When we stored tapes at an offsite backup, they were picked up in a locked metal box by uniformed security guards who delivered them to their protected site. These days it has shifted to VPN. Never heard of just having tapes sitting in an employee's car. What was the offsite backup? A shoebox in his closet?

    • Re: (Score:2, Funny)

      by Anonymous Coward

      I used to work at a firm that sent the backup tapes home with the tech.
      She stored them under her bed.
      I told her that was a great place because if her husband ever came home early and found a strange man in the bedroom she could say he was just there to get a backup.

    • Raises hand. That's exactly what I did (offsite backup into shoebox in my closet). Of course the tapes were encrypted, it was 1987 and we were a small business with little sensitive data (still our customer DB was valuable, if only to competitors).

      I interviewed with SAIC about 10 years ago. Let me say that the place reeked of stupid. I told them I had already found a job when they called back for second round.

  • "It's very hard to encrypt a backup tape."'

    Then encrypt the data, nimrod. These people actually get paid? Since when do they store HIPAA-related data and NOT encrypt it in the tables or wherever.

    Exporting data to a nonencrypted anything is wrong. And backup tapes need not have raw data on them. Probably they shouldn't.

    • Since when do they store HIPAA-related data and NOT encrypt it in the tables or wherever.

      When it is profitable to do so.

  • Who was responsible for transporting and losing unencrypted data with PHI in an unsecured environment? Should be jail time for the boss who approved this.

  • by goldspider ( 445116 ) on Tuesday October 04, 2011 @01:55PM (#37602418) Homepage

    So is SAIC going to be fined for their illegal (if unintentional) disclosure of patient medical records?

    Ha ha! Almost got ya there, didn't I? Of course I know the answer already!

    • I doubt they will, but there have been recent fines handed out for HIPAA violations, so hopefully.

      The only way that businesses will take this sort of thing seriously is if there are real fines and preferably prison time for the executives in charge of this mess.

  • The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure.

    I've worked with some weird systems before, but none so weird that I'd consider it that hard to get something off the tape. Even if the data structures are too strange to find everything, you might be able to link names with SSNs.

  • and a couple of questions.

    For those who don't know, Tricare is the "health insurance" that pays for providing health care for members of the military and for those retired military members that pay premiums. However, I don't remember SAIC having any contractual role in administering the Tricare system. Perhaps they were contracted by DoD to perform some kind of historical data analysis, and authorized access on that basis... but the reports make Tricare out to be the party at fault, so that would imply that

    • It's gauche, but I'm gonna follow up to myself to ask the questions that came to mind.

      • What precise role did SAIC have in this? As I mentioned, I don't remember SAIC being involved in Tricare administration "back in the day".
      • Why, exactly, does Tricare think HIPAA privacy protections don't come into effect in this case? If this had been Blue Cross/Blue Shield, you can be damn well sure the HIPAA police would have been down there with sirens screaming. The only difference is that Tricare is a government-admin
      • by Tekfactory ( 937086 ) on Tuesday October 04, 2011 @02:39PM (#37603136) Homepage

        Well if it's a strictly Government program HIPAA isn't its regulatory framework. They'd still have a requirement to protect Personally Identifiable Information under FISMA act of 2002 and OMB Memorandum 06-16 which came out after the VA lost their records. Among other things M06-16 requires you to encrypt senstivie data on mobile media and data in transit.

    • Anyway, TFA says that 4.9 million people were affected, but also that the tape contained health records from facilities in the San Antonio, Texas region for a 19-year period. 4.9 million people seems like a really large number for the service catchment area of one city, even if it has several primary military care facilities and a large semi-transient military population. Maybe if they include the induction medical records of Air Force recruits at Basic Training at Lackland AFB, for instance.

      That's only 2
    • Great. We just need to have it happen 49 more times and then the entire country might have gotten a clue and implemented something vaguely resembling proper security.

  • Surely you jest? Getting amanda to encrypt your backups [zmanda.com]. Is just a matter of reading some howto files on amanda's website. And, just peeking over at bacula's website [bacula.org], I can see that they have a similar sort of setup [bacula.org]. I don't use bacula, but I'm sure it is a matter of following the directions just like with amanda. It is not clear how anyone can consider encrypting backup tapes as a difficult process. For that matter, with TrueCrypt [truecrypt.org], OpenSSL [openssl.org], GnuPG [gnupg.org], FreeBSD's geli [wikipedia.org], and linux's dm-crypt [saout.de] encryption in ge
  • Someone seriously needs to go to jail for a long time.
  • Seriously, this is a major violation of HIPAA regulations (major as in "complete brain fart").
  • Someone beat the guy over the head with a clue-stick and stop the PR spin-wheel from being so absolute obvious. Just about EVERY enterprise level backup tape system supports built-in hardware encryption! You don't even need your software level stack to do it. The hardware itself encrypts the tape as it writes the data based on the firmware settings you configure on the device. It then automatically de-crypts it when it reads that tape later as it uses the same access keys/settings you gave it originally. So
  • How many times will tapes be stolen from a car before these people wise up? http://www.computerworld.com/s/article/108101/Update_Thief_nabs_backup_data_on_365_000_patients?taxonomyId=084 [computerworld.com] About 365,000 hospice and home health care patients in Oregon and Washington are being notified about the theft of computer backup data disks and tapes late last month that included personal information and confidential medical records. In an announcement yesterday, Providence Home Services, a division of Seattle-based Prov
    • Comment removed based on user account deletion
    • consultant / contracts / sub contracts seem like buck passing. But let the new guy, intern handle holding the off site back up?

      Why not at least give them to a permanent or more long term worker or where they to smart to take responsibility for the back ups. But the intern will do just about any thing to try to get a perm job.

      Now just having some keep the off site in there home and or car is a poor place to cheap out. Now if you want them to take it to a safe off site place have them do as part of the work d

  • the tapes were stolen from an SAIC employee's car during a burglary the night before.

    What kind of idiot leaves tapes containing confidential data in a car, OVERNIGHT ? I wouldn't even leave a half-eaten sandwich in there overnight...

    Gotta love government, contracting out to the biggest crooks and morons they can find.

  • I had the misfortune of working with a consulting company who worked for a large oil and gas company doing water quality work. We were supposed to integrate with their EMIS application. First off it was only a month before the rollout that they contacted us to get some real life data. They had mindless inheirted off of air testing data and knew nothing about water testing. This is a marker of OOP newbies. They also didn't understand that the regulatory requirements changed with the seasons due to high flow/

  • 4.3 Million patents gone! Sayonara you innovation starving sunsabitches!

    Wait, what?

  • Tape backups are trivial to encrypt - the tape just stores data after all and doesn't care if you encrypted it before the tape sees it. Or turn on the encryption option and hope the vendor didn't screw it up.

    Now of course once you have encrypted backups the encryption keys become very important. Losing them at the same time as you lose data you need restored (because you lost the machine where you kept them for one simple retarded scenario) puts you in a world of hurt - so there's some costs/benefits to con

  • Retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure

    -Who wants to bet that all you need to pull the data out is something like: dd if=/dev/tape | strings, perhaps with conv=ascii given to dd... and maybe gunzip or bunzip2. Sigh. Specific hardware: tape drive and a scsi card. Software: any recent unix would do. Knowledge of data structure: they obviously Huffman-coded all their SQL dumps, right? Haha.

  • Perhaps if you're retarded. Were his records among those stolen? Perhaps we'll be able to check in a couple of months.

    And what the fuck were they doing in an employee's car, to begin with?

    How many HIPAA violations does this incident constitute. At what point does SAIC lose their ability to do business with the US Government?

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...