Private Medical Data of Over 1.5 Million People Exposed Through Amazon 106
Gizmodo reports that a wide variety of information about 1.5 million people -- everything from police injury reports, doctor's notes about their patients, and social security numbers -- "all were inexplicably unveiled on a public subdomain of Amazon Web Services. Welcome to the next big data breach horrorshow. Instead of hackers, it's old-fashioned neglect that exposed your most sensitive information."
From the article: Tomorrow, [Texas-based researcher Chris Vickers, who discovered the breach] will turn over the data to the the Texas Attorney General, where it will be destroyed. But that doesn’t mean Systema is in the clear. Vickers may not be the only person who downloaded those millions of records as they sat out in the Amazon cloud.
We don’t know how long the information was available for everyone to see. But no matter what the timeframe, the neglect could be a HIPAA violation: Systema failed to protect the security of patients’ electronic medical information.
but...but... the cloud (Score:2, Funny)
is secure enough to store sensitive personal data....
Re: (Score:2)
It totally is. You just need to disconnect all the computers that are part of the cloud from the internet.
Re:but...but... the cloud (Score:5, Funny)
Shockingly, AWS allows you to configure your servers in an insecure manner. Clearly, the cloud must be insecure.
Re: (Score:2)
i have uploaded files to AWS S3. the default permission setting allows anyone to read files if they know (or can guess) the bucket name. S3 users need to be more proactive. they need to lockdown access to their S3 buckets (often used for backups). the defaults can be changed.
copy_tags_from_spot_request_to_instance.py [amazonaws.com]
Re: (Score:2)
Shockingly, AWS allows you to configure your servers in an insecure manner. Clearly, the cloud must be insecure.
Well, at it's essence, "the cloud" means "someone else's servers". This being the case, it should be abundantly clear that there is no magic there. If you use "someone else's servers in an insecure manner, it's not the someone else that is at fault. Even Amazon tacitly admits as much. Ever tried to get them to sign a Business Associate Agreement (a statutory requirement when you let a third party handle records covered by HIPAA regulations)? They will, but only after you've satisfied them that your use of t
Re: (Score:2)
Shockingly, AWS allows you to configure your servers in an insecure manner. Clearly, the cloud must be insecure.
Well, at it's essence, "the cloud" means "someone else's servers". This being the case, it should be abundantly clear that there is no magic there. If you use "someone else's servers in an insecure manner, it's not the someone else that is at fault. Even Amazon tacitly admits as much. Ever tried to get them to sign a Business Associate Agreement (a statutory requirement when you let a third party handle records covered by HIPAA regulations)? They will, but only after you've satisfied them that your use of their platform is sufficiently secure. It's a cinch that Systema didn't have a BAA with Amazon. Guess who's going to get fined?
wouldn't people with a little skepticism at least encrypt their files before uploading them, even with something trivial like zipping them with a password?
Not really related to Amazon. (Score:5, Informative)
Should probably be pointed out that this has nothing to do with amazon other than it was their web hosting used.
Re:Not really related to Amazon. (Score:5, Insightful)
Should probably be pointed out that this has nothing to do with amazon other than it was their web hosting used.
Amazon is a big name. Amazon is related to the story because it makes more people read the story. It's like if you have a story that Donald Trump's barber is secretly Sweeney Todd. The story becomes Donald Trump.
Re:Not really related to Amazon. (Score:5, Funny)
Re: (Score:2)
Or Mr. Trump got his haircuts from Dogbert [dilbert.com].
Re: (Score:2)
The bigger story would be that Trump had a barber.
Oh no, that hair is definitely styled.
Re: (Score:2)
Re: (Score:1)
I never knew Tribbles were capable of this kind of dastardly plot.
Re: (Score:1)
You don't understand insurance. The whole point is that you're paying a fixed premium to eliminate a risk. You're paying for certainty. Without health insurance, you risk that some unpreventable medical problem makes you go into crippling debt for the rest of your life. That can happen regardless of how healthy you are.
Sure, but when you smoke two packs a day, or when the doctor tells you you're 50 pounds overweight and you keep hammering the buffets, shoveling fried food into your corpulent mouth, and not getting any significant exercise, well then we're no longer talking about "unpreventable", are we? That's not the same thing as driving down the road, having a deer jump out in front of you that no one could have seen in time, and getting injured in the crash.
Yes they can apply surcharges and rate some people as muc
Re: (Score:3)
You object to individuals saying, "I'm healthy", but you allow businesses to say, "we're doing the best", "we have good environmental practices", and "we are financially sound" with
Re: (Score:2)
It's interesting that this sort of rhetoric comes from the far right, while at the same time they defend ignoring external costs that of things like fracking. Your paying for those too. Whether it is a necessary evil, or not, it is almost certainly less efficient and carefully done then it would be with some sort of oversight. You object to individuals saying, "I'm healthy", but you allow businesses to say, "we're doing the best", "we have good environmental practices", and "we are financially sound" with little (preferably no) oversight.
Actually I want one of two scenarios: insurance goes back to its intended purpose - protecting against rare and catastrophic events; or, a government-funded health care system like you would find in many European nations.
In my mind, external costs like those caused by fracking are a separate issue. If you want to fix that issue, you need to deal with the problem of regulatory capture. The simplest way to do that would be a new law forbidding anyone who has worked at a regulatory agency from ever seeki
Re: (Score:3)
Hear Hear!
The problem with the insurance scam is that it does very little to contain out of control medical costs. In fact, it makes it worse since opting out entirely and self-treating becomes impossible, even for conditions that used to be treated at home as a matter of course.
Really I think at this point, a European style system is our best bet. The entire industry is so thoroughly addicted to unnecessary tests and outrageous margins that it will take legal price controls or a unified negotiator to get i
Re: (Score:2)
You don't understand insurance. The whole point is that you're paying a fixed premium to eliminate a risk. You're paying for certainty. Without health insurance, you risk that some unpreventable medical problem makes you go into crippling debt for the rest of your life. That can happen regardless of how healthy you are.
Sure, but when you smoke two packs a day, or when the doctor tells you you're 50 pounds overweight and you keep hammering the buffets, shoveling fried food into your corpulent mouth, and not getting any significant exercise, well then we're no longer talking about "unpreventable", are we? That's not the same thing as driving down the road, having a deer jump out in front of you that no one could have seen in time, and getting injured in the crash. you realize that the much maligned high deductibles decouple the bad risky folks who ring up $1500 of bills a year from the good careful ones who have like one $75 checkup per year, because the insurer doesn't pay for either. Of course, that screws the people who have birth defects or MS or cystic fibrosis or asthma, but screw them, they should have been more careful to get born into a healthy body. Yes they can apply surcharges and rate some people as much riskier than others, but the entire concept of insurance is much better suited for the latter case than it is for the former. What a lot of people want is to appease their sense of justice by having some assurance that those who are at least attempting to be healthy are not forced to subsidize those who blatantly aren't. A huge number of people think it's "inconvenient" they can't have everything they want with no downsides. They can't claim ignorance and they're setting themselves up to learn a hard lesson. The adults who understand that decisions carry consequences -- and make their choices accordingly -- don't want any part of the results. That's what I mean by a sense of justice. Whether you agree with it or not, that's where the concern about precisely how the insurance is implemented is coming from.
Re: (Score:2)
You don't understand insurance. The whole point is that you're paying a fixed premium to eliminate a risk. You're paying for certainty. Without health insurance, you risk that some unpreventable medical problem makes you go into crippling debt for the rest of your life. That can happen regardless of how healthy you are.
Sure, but when you smoke two packs a day, or when the doctor tells you you're 50 pounds overweight and you keep hammering the buffets, shoveling fried food into your corpulent mouth, and not getting any significant exercise, well then we're no longer talking about "unpreventable", are we? That's not the same thing as driving down the road, having a deer jump out in front of you that no one could have seen in time, and getting injured in the crash. Yes they can apply surcharges and rate some people as much riskier than others, but the entire concept of insurance is much better suited for the latter case than it is for the former. What a lot of people want is to appease their sense of justice by having some assurance that those who are at least attempting to be healthy are not forced to subsidize those who blatantly aren't. A huge number of people think it's "inconvenient" they can't have everything they want with no downsides. They can't claim ignorance and they're setting themselves up to learn a hard lesson. The adults who understand that decisions carry consequences -- and make their choices accordingly -- don't want any part of the results. That's what I mean by a sense of justice. Whether you agree with it or not, that's where the concern about precisely how the insurance is implemented is coming from.
well i messed that reply up. let's try again.
you realize that the much maligned high deductibles decouple the bad risky folks who ring up $1500 of bills a year from the good careful ones who have like one $75 checkup per year, because the insurer doesn't pay for either. Of course, that screws the people who have birth defects or MS or cystic fibrosis or asthma, but screw them, they should have been more careful to get born into a healthy body.
Re: (Score:1)
In the case of you without insurance, you join the ranks of the scum of society by virtue of passing off the shared responsibility onto everyone else.
How exactly does that work if the person pays in cash?
Re: (Score:2)
In the case of you without insurance, you join the ranks of the scum of society by virtue of passing off the shared responsibility onto everyone else.
How exactly does that work if the person pays in cash?
how much cash to do you have, exactly? you realize that the number one cause of bankruptcy in the US is medical costs, for people who DO have insurance?
Re: (Score:2)
Sure, there's always a slight risk, but it's one I'd be willing to take.
Sadly society does not leave its citizens to die in the gutter, so in the end WE pay for you and your stupidity
Re: (Score:2)
But some people don't need that protection. Namely those who take care of themselves. Sure, there's always a slight risk, but it's one I'd be willing to take. Of course, it's irrelevant now in my life because my job pays for my insurance, but before I had this job, I'd rather have no insurance than lay for supporting the scum of society's medical bills.
and when you get run over by a bus; would you become one of the scum of society with your medical bills paid for by others, or would you choose to die in the gutter without benefit of treatment?
Re: Not really related to Amazon. (Score:4, Interesting)
Basically, if car insurance worked like health insurance, then every single time you got an oil change or put gasoline in your tank, you'd file a claim and make a co-payment. If homeowner's insurance worked that way, you'd file a claim and make a co-payment every time you re-shingled your roof, repainted your house, or replaced the mulch in some landscaping.
In every other instance, insurance is for rare and catastrophic events only. It's not something you use on a regular basis every time you perform what would be called routine maintainence in any other context. It's one reason contributing to why health insurance is so expensive.
Re: Not really related to Amazon. (Score:5, Interesting)
1) The car analogy actually works better than you think - nowadays 'private lease' is becoming more and more popular, where indeed the leaser/driver doesn't even pay for oil change and in some instances gasoline. You pay a fixed monthly sum and you get a car (and of course the lease costs are higher because people stop taking care of the car as well as they would with their own car)
2) Any insurance scheme (whether company or government) wants to minimize costs. This can be done by discouraging claims (with co-payments, thresholds, or exclusions) but also by encouraging good behaviour. Often, small medical costs (e.g. GP visit) should be encouraged rather than discouraged, even if only 1% of these visits can prevent (or spot early) a condition that can be tremendously expensive. A house insurance can force you to have a smoke detector installed, or they can pay a smoke detector for you - it doesn't really matter since in the end the costs come out of your pocket. Politically, it can be better to pay a GP visit for someone than to force them to visit a GP at their own expense, especially because enforcement is difficult and voiding someone's insurance in the case of serious illness without having made the required GP visits can be seen as inhumane, and emergency visits are often guaranteed by the state even for the uninsured, two risks which are less so with housing/car/etc insurance. So, just paying out the small claims can be easily a winning option if it prevents later costs. In the Netherlands, some (privately run) health insurance companies even subsidize gym/fitness subscriptions or diet advice, so apparently they believe that these costs can be recouped due to decreased risk and/or improved public image or sales.
3) Relating to an earlier post made above, that health insurance is a scam and as a healthy person you'd be better off paying out of pocket: It's correct that insurance encourages risky behaviour, and that people at risk are more likely to value insurance, which is for example why disability insurance for self-employed people is ridiculously expensive (at least down here). However, health insurance in general suffers a bit less from these problems than other forms of insurance, since people don't actually like being sick, and getting a $2M payout for your cancer treatment doesn't actually leave you any richer (of course, some people still engage in short-term behaviour with long-term risks such as listed by GP). Moreover, a lot of really catastrophic health risks are simply random and impossible to pay out of pocket unless you're Warren Buffet.
4) Relating to the GP that obamacare is bad because it forces people to buy insurance: By forcing everyone to participate, you reduce the problem that risky/unhealthy people are the only ones buying insurance, driving up the premiums and further discouraging health people from participating in the risk pooling. If there is a strong negative societal effect from uninsured people, it can be worth it to sacrifice some individual rights to self-determination to help avoid the vicious cycle of unhealthy insured people and high premiums.* And there are strong negative effects of uninsured people: the direct dollar cost of providing them with emergency service and (later) medicare for conditions that would have been cheaper to treat in an earlier stage; the indirect cost of decreasing taxes and increasing social spending when people are sick and disabled; and the humanitarian cost of having people suffer from treatable conditions just because they're poor and/or unlucky. So, there are strong benefits to universal coverage even for the healthy, and due to the risk premium the only way to achieve it is if it isn't voluntary.**
*) In fact, the reason why the US system of employer-tied insurance works at all is precisely because it forces healthy employees to participate, thus greatly reducing the premiums compared to buying private insurance (in the old system, at least).
**) Of course, if you're ideologically libertarian, you would simply not pay emergency service, medicare and social benefits and simply not care if some poor person dies from pneumonia, but in that case I'm not too sure I really want to have this conversation with you :)
Re: (Score:2)
Eh sorry to double-post, but there's another aspect to health insurance that complicates things. Basically, if car insurance worked like health insurance, then every single time you got an oil change or put gasoline in your tank, you'd file a claim and make a co-payment. If homeowner's insurance worked that way, you'd file a claim and make a co-payment every time you re-shingled your roof, repainted your house, or replaced the mulch in some landscaping. In every other instance, insurance is for rare and catastrophic events only. It's not something you use on a regular basis every time you perform what would be called routine maintainence in any other context. It's one reason contributing to why health insurance is so expensive.
indeed, medical coverage is not insurance any more. in other countries it's "health plan" or "sickness fund" or something.
one thing that makes it different from car insurance is that your maintenance of your car has very little effect on your ability to avoid a crash, and vice versa, the expensive consequences of not changing your oil ever are not covered by insurance. whereas as you yourself pointed out, a lot of the worst medical expenses are avoidable a priori. so, do you spend $75 for a checkup out of
Re: (Score:2)
You don't understand insurance. The whole point is that you're paying a fixed premium to eliminate a risk. You're paying for certainty. Without health insurance, you risk that some unpreventable medical problem makes you go into crippling debt for the rest of your life. That can happen regardless of how healthy you are.
you're talking to somebody who undoubtedly believes that Obama invented the concept of insurance and is a socialist and is funneling money to his bosses on Wall St.
Re: (Score:2)
It's more the fault of insurance being a scam for those who take care of their bodies and health. To stay in business, insurance companies must pay out less than they take in. This means for 50% of those insured, it's a scam. And in fact, the numbers are probably higher than 50% because a small percentage of people disproportionately need medical care.
Anyone who pays insurance is paying for those who eat fast food every day, pop out babies yearly (different fathers, if they even know the father), abuse drugs, take risky behaviors (speeding, excessive drinking, fighting), and their idea of exercise is walking to the fridge to get another beer. Assuming you're not a fuck up in life, insurance is pointless. Even if you have one expensive hospital visit per ten years, you'll save more by not paying insurance for those ten years and investing the saved money and then paying for the hospital visit in cash.
And now thanks to the wonderful Obamacare, we're all forced to purchase insurance. This drives up the price for everyone and discourages healthy habits. Great job Obama and his Democrat cronies!
Medical reform is needed in the US, but something like Obamacare has only made things worse than before.
I've personally seen a 3 million dollar medical bill. (well, not the original, I admit). if you can save that much from ten years of not paying insurance premiums, i would like you to adopt me.
Re: (Score:3)
Definitely as far as I understood some stupid left database dumps on amazon S3 with permissions for the whole world to read.
In my experience, such idiots actually dont need any cloud computing to make clowns of themself. Usually they even try operate own system and find obscure excuses like "but only our customers know our IP" for insecure settings or "we dont need to update, since only one application is running on the machine".
Re: (Score:1)
Amazons servers have been firewalled by us for some years now.
They regularly host malware sites, spam site, port scanners, etc.
Their complain/resolution service is rubbish, we no longer bother informing them.
Amazon? (Score:5, Informative)
So Systema is at fault for not securing the data, but the headline pins it on Amazon?
Re: (Score:2)
But do you understand the definition of "asshole" in this context?
Because when all you do is
a. Lie "it does not pin it on Amazon" (The headline most certainly does.)
b. Talk about yourself "I'm in IT"
c. Be a dick "I also understand the definition of 'through' in this context"
It's clear you're either a narcissistic sociopath or just an asshole.
That's why I asked if you know the definition.
E
Re: (Score:2)
But do you understand the definition of "asshole" in this context?
Because when all you do is a. Lie "it does not pin it on Amazon" (The headline most certainly does.) b. Talk about yourself "I'm in IT" c. Be a dick "I also understand the definition of 'through' in this context"
It's clear you're either a narcissistic sociopath or just an asshole. That's why I asked if you know the definition.
E
I'm not the AC, and I also don't believe that AC was being, in any way, an asshole. I believe he was constructively criticizing the way the summary/article was written, which on this site, doesn't happen often enough. I also believe you're overreacting to the point that you're making him look very good.
Re:Amazon? (Score:5, Insightful)
Bear in mind that Slashdot generates revenue from clicks.
Re: (Score:1)
If you're not viewing their ads they don't want you. We're just wasting their bandwidth.
Re: (Score:2)
No, Slashdot (and just about any other website) gains revenue from clicked ads.
Not anymore they don't. Due to click-fraud, ad networks don't generally pay for ad clicks, but 'impressions' aka views. It's alot easier to fake a thousand unique clicks than a million unique views.
Re: (Score:2)
Re: (Score:2)
No, Slashdot (and just about any other website) gains revenue from clicked ads.
https://en.wikipedia.org/wiki/... [wikipedia.org]
You should have at least the smallest clue about something before you correct others on it. CPM is quite common, and requires no clicks.
Re: (Score:2)
Amazon once bit my sister.
Re: (Score:2)
Amazon once bit my sister.
Let me guess, she started working there the next day and now puts in 160 hour work weeks.
Re: (Score:3)
1) Companies have to follow due diligence when handling private medical data.
2) Companies want to use a cheap cloud computing platform to mine medical data.
3) Story: Amazon cloud services are not suitable for 1)+2)
I don't know about you, but I've learned something, and I know what I'll ask my health care provider about how they handle my data.
Re:Amazon? (Score:5, Informative)
Of course, nothing can prevent a clueless operator from putting data on a publicly accessible share.
Re: (Score:2)
Whose responsibility is it to ensure the data is safe? Surely, a "clueless operator" should not be able to put data on a publicly accessible share in the first place, if Amazon complies and is the entity hosting the data?
I'm curious how the legalities are interpreted to bypass the HIPAA protections in this case.
will be sold on Monday (Score:4, Interesting)
Re: (Score:2)
Out of interest, who is Paxton? I cant see anything about him.
Re: (Score:2)
Sorry Paxton is the Texas Attorney General.
Re: (Score:2)
Why the hell did his parents give him a name like that?
Re: (Score:2)
Why the hell did his parents give him a name like that?
To make sure he grew up to be tough.
Jail, bankruptcy? (Score:5, Insightful)
So someone is going to jail for this and the company will soon be bankrupt, right?
Oh wait, none of this will happen, because the government is controlled by corporations. Just like the GM story where the cover-up led to people dying. No one will ever serve any time for killing people in this manner.
Re: (Score:2)
We need really harsh penalties for companies that use this data. None of them will do it openly, but you can bet insurance providers and employers are accessing it (through multiple third party reports, to insulate themselves legally).
Roll 'em! (Score:1)
Sounds legit.
Re: (Score:2)
You looked at thei the website?
https://aws.amazon.com/ [amazon.com] Why yes, yes I did. Awesome thing, this intertoobz
Dudes! It's totally OK! (Score:3)
"Tomorrow, Vickery will turn over the data to the the Texas Attorney General, where it will be destroyed. "
See? They're going to destroy it!
MIGHT be a HIPPA violation? (Score:1)
How can this possibly be "Might be a HIPPA violation?"
It is precisely what HIPPA was created to protect against.
Re: (Score:2)
How can this possibly be "Might be a HIPPA violation?"
It is precisely what HIPPA was created to protect against.
I'm not remotely a lawyer but I can offer an opinion. It's the whole "spirit of the law" versus "letter of the law" deal, I would assume.
For an analogy - that's the main reason Constitutional law can get so complex. Otherwise language like "shall make no law" and "shall not be infringed" isn't difficult to understand. No I don't think the authors of that document intended for physical papers to enjoy certain protections but not computers, cellphones, and other future replacements for paper not known t
Re: (Score:2)
Semi-OT: Why does plain text still exist? (Score:2)
Why does plain text still exist? Or put it another way, why is anyone who has data they must protect able to put such data into a program that will export, import or otherwise be accessed by an external system *without* an encryption key?
I know it's a stupid question, but being able to just dump a database to text is just totally wrong, no? Nobody seems to be phased by SSL over HTTP, after all. Excel, Outlook, Oracle, MySQL, etc. - stop the madness!
Re: (Score:2)
Well, I am not sure what they were doing with that data. But if you are going to make any kind of multi pass analysis on it, you probably don't want to pay the runtime cost of encryption/decryption. Also, if your system has any kind of external connectivity, it is typically for authorized querying of the data, so the system certainly needs a way to decrypt it.
Re: (Score:2)
Well yes, runtime costs of encryption might be an issue, but that's sort of what I meant when I said nobody seems to be phased by SSL and how that works with trusted keys, etc. In short, why can't all data (like medical records) be encrypted inside systems that are incapable of exporting the plain text and can't be accessed by anything that doesn't have the cryptographic ability to do so?
Obviously, and attacker could steal the keys and write an application that read that data and then exported it as plain t
Re: (Score:2)
Why does plain text still exist?
Because searching an encrypted database for "gilgongo" isn't trivial. And when passing "gilgongo" to middleware over unencrypted XML, how do you encrypt the individual fields? Because if you send encrypted XML (IPSEC or such) then you'd send the fields inside unencrypted, so the dB on both ends would be unencrypted, or import/export unencrypted.
Makes a mess for migrations and support.
HIPAA violation! (Score:2)
Re: Why all the Amazon love? (Score:2)
Have you ever used S3? That is almost exactly what it is like.
Re: (Score:2)
We have come a long way (Score:2)
Just another private company screwing up (Score:2)
So Amazon, or whomever, lets 1.5 million personal medical records get into the wild. Will there be Congressional investigations considering this is substantially more than what happened to the IRS?
Where were the investigations about Target and its breach of 40 MILLION credit and debit card numbers?
Or is this simply another example of private industry doing it better than government?