Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy Medicine Security IT

One In Four Indiana Residents' E-Record Data Exposed in Hack 60

Reader chicksdaddy reports that a data breach involving four million patients and more than 230 different data holders (from private practices to large hospitals) hit Indiana especially hard. It's the home state of Medical Informatics Engineering, maker of electronic records system NoMoreClipBoard. While data exposed in the breach affected 3.9 million people, 1.5 millon of them are in Indiana. According to the Security Ledger, though: [The] breach affects healthcare organizations from across the country, with healthcare providers ranging from prominent hospitals to individual physicians' offices and clinics are among 195 customers of the NoMoreClipboard product that had patient information exposed in the breach. And, more than a month after the breach was discovered, some healthcare organizations whose patients were affected are still waiting for data from EMI on how many and which patients had information exposed.

'We have received no information from MIE regarding that,' said a spokeswoman for Fort Wayne Radiology Association (http://www.fwradiology.com/), one of hundreds of healthcare organizations whose information was compromised in the attack on MIE..
This discussion has been archived. No new comments can be posted.

One In Four Indiana Residents' E-Record Data Exposed in Hack

Comments Filter:
  • The scream bloody murder about HIPPA! HIPPA! and act like you are a trrrist if you ask for your cousin's condition.

    Then they give everyone's data away.

    • by Anonymous Coward

      I hate to be a doomsayer, but with the way weapons have surpassed armor, security is almost a pointless battle for companies. If the biggest, most secure organizations in the world (Sony x 2, Target, OPM) can get breached, anyone can.

      Take network security. Backdoor in appliance gets an attacker to the management network from there, the TFTP server. From there, copying a modified config. IDS/IPS systems are pointless, as big companies already have these. Same with AV.

      Take privacy. Show me one single We

      • by phantomfive ( 622387 ) on Saturday August 01, 2015 @09:15PM (#50231941) Journal

        If the biggest, most secure organizations in the world (Sony x 2, Target, OPM) can get breached, anyone can.

        I don't think anyone ever said they were the most secure organizations in the world. In the case of Sony specifically, their security was notable for its poor quality.

        • by dbIII ( 701233 ) on Sunday August 02, 2015 @01:46AM (#50232545)
          Spot on. I'll bet in both cases there are plenty of stupid shortcuts that would induce facepalms or "I told you so" on a lot of the readers here.
          Last year I had one idiot ask to put the phone system he was sometimes called out to work on onto the internet with telnet access - with no password! Another wanted direct RDP access to a machine over the internet. Neither of course seemed to have heard of a VPN or gave a shit about security - people who actually do what these idiots say are probably going to get burnt within days with the number of bots out there scanning for stuff.
          • Last year I had one idiot ask to put the phone system he was sometimes called out to work on onto the internet with telnet access - with no password!

            Wow.

            • by dbIII ( 701233 )
              It was the same guy that put an open drink can down on a large live UPS after someone let him into the server room so it's possible that stupidity has killed him by now.
              Turns out the "new" phone system is a ten year old model - so telnet in with no password to change the settings and he wanted us to unblock and port forward telnet to the thing. I wonder if he convinced someone else in another place and who is getting free calls out of diverting through hacked phone systems?

              So yes, these sort of people are
    • Re: (Score:2, Interesting)

      by Anonymous Coward
      HIPPA discourages unauthorized disclosures, but it discourages looking for these disclosures even more.
  • by Anonymous Coward on Saturday August 01, 2015 @07:30PM (#50231549)

    Why should a company storing confidential data have any ability to access any part of that data? Especially when there are hundreds of separate owners of the data!

    Each data owner should encrypt data before it leaves their site. In fact, individual documents should be uniquely encrypted.

    These stories of leaks of massive amounts of data -- again and again! -- just prove that nobody cares.

    • I think it has something to do with the online records requirements of the ACA. If you live in Chicago and have an accident while vacationing in Florida, the doctors in Florida are supposed to be able to access your medical records from Chicago without much effort in order to treat you more effectively and timely. Encrypting it would somewhat end that and somehow this is all supposed to be controlled by the IRS who will share information with about 200 or more other government agencies between the state, lo

  • Patient records are no more safe than credit card info at your local restaurant.

    • Patient records are no more safe than credit card info at your local restaurant.

      Well, let's keep things in perspective here. The breach only consisted of intimate medical details of little people.

      HIPPA-schmippa, it's not like it concerned something vital to national security to keep secret, like the POTUS' college records or original birth certificate.

      I'd bet if Congress and other members of the Federal government were required to participate in the ACA (AKA 'Obamacare') like everyone else, security would be much tighter.

      Strat

    • In the grand scheme of things we already knew that this was bound to happen, and will continue to happen. We need to adapt our attitudes so that we can no longer feel embarrassed by revelations of a personal nature. Everyone will be better off in a future where we are not so obsessed with worrying about our secrets being exposed.
      • It's not just embarrassing data though. Medical records contain social security numbers. Until we address the fact that anyone with my address, birthday and ss# has full access to my credit, these hacks will continue to inflict serious damage.
  • For those of you outside the field, be very, very worried that these (https://en.wikipedia.org/wiki/MIB_Group,_Inc.) guys get hacked. If you have ever had a medical condition covered by any of our world-renowned Private Health Insurance Industry providers, it's on file here. Enjoy. :-)
  • What was so bad about clipboards again?
    • Re:clipboards? (Score:5, Informative)

      by Z34107 ( 925136 ) on Saturday August 01, 2015 @10:56PM (#50232201)

      What was so bad about clipboards again?

      Clipboards have a bunch of known deficiencies. They're effectively write-only, especially if no one else can read the doc's handwriting.

      Then, they're hard to duplicate. Should you end up in the hospital (heaven forbid), hopefully you're conscious enough to explain your drug allergies to the EMT, because it'll take a while to find out which clinic you normally see and get a copy of their clipboard. Then the copy of the clinic clipboard ends up in the hospital's clipboard, but the stuff in the hospital clipboard probably won't make it back to the clinic clipboard.

      There's also only one copy of the hospital clipboard, so the cardiologist treating your heart attack can't put notes in your clipboard if the hospitalist took it to figure out what meds you were (or should be) on. If they do make copies, someone has to make sure the cardiologist's annotations make it into all of them without error. Those charts then have to be stored in a giant bunker somewhere, forever.

      Clipboards are also bad at medication safety. When you're giving millions of med administrations to millions of patients, eventually you end up giving the wrong drug to the wrong one. Clipboards can't verify that you nabbed the right patient or the right drug, which kills people once you scale up the mistakes that would have happened to a national level.

      Even before the nurse gives the meds, a clipboard can't tell the doctor that one of the medications he's ordering will interact with the medications someone else ordered. That also kills people. If one lot of those medications was tainted and recalled, it's also really, really hard to find out who was affected if all your administrations are documented on paper.

      Finally, it's really hard to bill correctly if all of your documentation is on paper. If the coder going over the clipboard misses a charge, the hospital loses out on money. If the coder invents a charge, you lose out on money. If the coder can't find whatever documentation a kafkaesque insurance company demands to justify a procedure, you both lose out on money. Also harder to reject a claim for not being written in blue pen with block caps when the claim is electronic.

      There's a bunch of other ways clipboards suck, and a bunch of ways the clipboard-replacements suck, but the former tends to suck a lot more than the latter.

      • There's a bunch of other ways clipboards suck, and a bunch of ways the clipboard-replacements suck, but the former tends to suck a lot more than the latter.

        Fair enough.

      • Clipboards have a bunch of known deficiencies.

        Your post is informative and makes a lot of sense. On the other hand, I think there are plenty of new types of errors which can be created with electronic systems. In particular, when you abstract data from records and substitute codes in, you make it easier for people to stop looking at original records. Those original records might also contain contextual information that would prevent some errors. In most cases, I imagine the benefits of electronic records outweigh the problems, but when you depend o

        • by Z34107 ( 925136 )

          I won't disagree that medical billing is still a nightmare, but it's not the fault of CPT codes. No insurance company will sign a blank check and ask the doctor to fill in the amount; they all have a maximum they'll reimburse for, say, a broken leg, and they'll reimburse "broken leg" differently for a simple fracture than an unexpected amputation that took a crack team of surgeons 32 hours to reattach.

          The codes are just a standard way to quantify exactly what was done. The "standard" part is important s

  • by Anonymous Coward

    Only one in four? Lame. They need to sweep up the other 75% of medical records from Indiana. Go big or go home!

  • by Anonymous Coward

    No government employee is fired. Ever. No matter how incompetent they are. If you get lucky, sometimes they resign out of shame. Otherwise too bad, they're stuck there.

  • What operating system platform does NoMoreClipBoard run on and technically speaking, how exactly was the hack implemented.
  • Governor Mitch Daniels outsourced the unemployment database, and slashed the budget for job training for the unemployed in an attempt to keep Indiana "in the black". As a result, there are fewer IT jobs in Indiana, and those who are trying to jumpstart their career are generally-speaking, FUCKED. I wonder if any shortcuts were taken with their statewide medical patients database? It wouldn't surprise me.

  • Does anyone have a list available of HIPPA-actionable, large-scale data breaches in the past and ensuing convictions or case outcomes / penalties from such?

  • Meanwhile 4 out of 4 Indiana's complete records plus cell tracking data has been exposed by the NSA

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...