A Huge Trove of Patient Data Leaks, Thanks To Telemarketers' Bad Security (zdnet.com) 44
"A trove of records containing personal and health information on close to a million people was exposed after a former developer working at a telemarketing company uploaded a backup of its database to the internet," writes ZDNet. An anonymous reader quotes their report:
The data contained personal and health-related information, such as names, addresses, dates of birth, phone numbers, email addresses, Social Security numbers, health insurance information, and other data relating to the types of health problems the individuals have regarding the products they need, though many of the records were truncated or incomplete. An examination showed that the database was used to market products to thousands of customers by telemarketers at HealthNow -- no longer a registered business as of 2015. Several records we've seen included customized notes written by staff who were tasked with calling customers, such as when they are home and any other relevant information on the subject.
The database apparently lingered online for years in an AWS instance until it was discovered two weeks ago in search results from Shodan by a Twitter user calling himself Flash Gordon. Databreaches.net, which investigated the breach with ZDNet, believes this as a teachable moment. "Before you give your personal or health insurance information to telemarketers or firms that call to offer you supplies for diabetes or back pain or other conditions, think twice."
The database apparently lingered online for years in an AWS instance until it was discovered two weeks ago in search results from Shodan by a Twitter user calling himself Flash Gordon. Databreaches.net, which investigated the breach with ZDNet, believes this as a teachable moment. "Before you give your personal or health insurance information to telemarketers or firms that call to offer you supplies for diabetes or back pain or other conditions, think twice."
Think twice? (Score:3, Interesting)
Thinking once is good enough. In fact no thought is really required at all. The simple rule is, don't give your info telemarketers. I mean, not that your regular medical establishments are any better [beckershos...review.com]
Re: (Score:2, Interesting)
Ever get lured into trying to receive a mail-in rebate? Boom. Ever open a bank account at a major bank? Boom. Keeping your info out of all telemarketing is a unibomber-esque level task.
Re: (Score:2)
How about going into any doctors office running windows 10, boom, M$ now has you entire medical record and can now target you with ads and employment firms, insurance companies, financial corporations with your data (can not get a job, can not get insurance, can not get a loan, tough, M$ needs to make more money).
What makes you think people gave that information? (Score:1)
Your personal information in the form of lists is easily available because most businesses sell it. The credit bureaus do. That's how the AARP knows to swoop in on you when you hit 50.
We consumers are just meat.
some things are harder to avoid :( (Score:5, Insightful)
I can pretty well avoid IoT devices and all the stupidity that surrounds them... at least for the moment, until they take over the marketplace entirely. And in the example from TFS, you can avoid it by not dealing with the telemarkters.
But health care in general, wow, that's a different kind of thing. There have been leaks from primary health care databases, sometimes impacting up to 70 million people at once such as with the Anthem leak. That's just one example of many.
There are kinds of health care you cannot avoid, so you are given no choice but to have your personal and health info entered into systems that are insecure. They have been proven time and time again to be insecure, so it isn't a theoretical risk. It has happened and will happen again. So now you're exposed to identity theft, insure fraud, and more.
In the past there was not a single centralized database to attack. You might steal some paper records from a clinic and get 100 people's data. Now you attack a database on the internet and get 100 million people's data. Centralization increases risk and vulnerability, just like lack of biological diversity does for diseases among populations.
Something is seeming awfully broken about what we're doing, and I can't vote with my dollars against it, because then I don't get health care.
Re: (Score:2)
"Become a monk for income purposes"
A million people pretending to be monks while researching Viagra would be hilarious
Re: (Score:2)
I believe in tainting data - swap your grocery rewards card with someone else. Become a monk for income purposes, or turn vegan for health surveys :)
This. The entire Internet still thinks I was born on December 7, 1941. You know, "A day that will live in infamy."
A case of identity (Score:3, Interesting)
The problem is, that these days you can't even hope to be in charge of your personal data. You are at a mercy of whoever you've already given your details to - be it your ISP, GP, optician or virtually anyone else. Checking the 'no marketing, please' checkbox doesn't do a damn thing - databases get leaked, companies get hacked and greedy CEOs may simply say `Screw the legal clause, we want more money, and we can pay legal fees and compensations off it and still come out with profit. If anyone dares to sue us, that is.`
I personally only give my real details to government institutions or where it's otherwise strictly necessary. I invented a fake identity, with an independent e-mail address and a burner mobile number, that I provide to anyone else.
Re: (Score:1)
who is going to jail for this? (Score:1)
Nobody will think twice unless someone goes to jail for this. Criminal negligence comes to mind.
Question (Score:1)
Why is such HIPPA-protected data in the hands of marketers in the first place?
Re: (Score:2, Interesting)
It's far from a joke. I work in pharmacy and personally know a Pharmacist that had his license permanently revoked for accidentally tossing out a box of protected health information. It never made it out to the public, but was found by a store manager and reported.
As part of his agreement to not be fined $X/document, he agreed to never work as a pharmacist in this state, or any other.
Re: (Score:2)
so we prevented him doing what we wanted him to do in punishment for doing the thing we didn't want him to do. I guess he'll go work in a bank now.
So it sounds like his community is punished 3x. Lost the original data, lost a phamacist serving the community, lost the records he leaks from whatever new job he winds up in.
It would have been better to have him continue in pharmacy and pay for enhanced data protection services / audits.
Sigh. (Score:4, Insightful)
No.
Before you live in a country where you can telemarket medical products to people at all, and don't have proper data protection legislation, think twice.
Re:The question should be ... (Score:4, Informative)
HIPAA, not HEPA.
Health Insurance Portability and Accountability Act, 1996
But if you want to take a High Efficiency Particulate Arresting filter to those loose bits from the server, be my guest.
Re:The question should be ... (Score:4, Informative)
HealthNow is owned by Dino Romano, a former Unistar executive and securities fraud recidivist. It ceased as a business in 2015...
When contacted, Daynier Brown, a software developer contracted to work on building a customer database for Romano, confirmed he obtained a copy of the database during the time he worked for Romano. In a phone call this week, Brown said he found the backup drive on a failing hard drive on a development server he owned from his previous HealthNow project. He spun the data out on an Amazon Web Service instance he owned, which pointed to MediboxSolutions.com, a website owned by Brown, intended to eventually provide customer database solutions for medical services.
In other words, a scammer stole the data from another scammer and didn't bother to secure it. Yes, that's a huge HIPAA violation.
Telemarkers have bad security? (Score:2, Interesting)
That's terrible. It's alarming to think that our sensitive personal data could fall into the hands of greedy, unscrupulous folks.
A Huge Trove of Patient Data Leaks, Thanks To Tele (Score:2)
hmmmm . . . could someone please help me resolve this.
I had come to believe over the years that the terms 'Telemarketers' and 'bad security' were, in fact, synonymous - and had nothing in common except for the bottom line item - $$$$$
cheers . . .
Why pick on telemarketers? (Score:3)
Sure, we all hate these assholes cold-calling us with "valuable offers", but they aren't alone with bad security practices — nor are they especially bad. I suppose, one can argue, that people with manifestly flawed ethics are more likely to have flaws in other aspects of their personalities — such as in whatever is required to take care of your data. But, without concrete statistics of data-leakage by industry, the exact opposite can be argued as we well — people with one sensory organ (such as eyes) disabled, often developed heightened sensitivity in another (such as hearing).
Simply put, do not give out your information to anyone if you can avoid it — and be sure to make an abhorrently impolite stink every time you can not avoid it.
Doctors' offices, for example, ask for a lot of information they don't really need — I always leave most entries blank in the forms, and wait for the receptionist to point at those, which are really necessary.
Great exposure... (Score:3)
It's bad that private medical information is being disseminated...
It's great, however, in being a window into the information about me that's available to, well, just about anyone with money.
Anyone with an interest in Healthcare (e.g. Health Insurance companies) probably had a copy of this data, acquired "somehow". There's no incentive for a company to only keep records on their customers - database storage is free, so keeping records on EVERYONE who might someday wish to become a customer is just good business sense.
Anyone who has such data would certainly market it to the "big boys". Even if these million records were only worth a thousand dollars to an Anthem or Cigna, there are dozens of health companies and hundreds of scammers who might pay that thousand dollars. And right now, there's no way for me find out what information Anthem or Cigna is keeping on me.
My information was in the Anthem leak - and when I asked Anthem to tell me what was taken, they said "No". So Anthem knows what was taken, and the bad guys know what was taken, and the government knows what was taken, and I'm the only one left in the dark. Leaks like this are the only way available to me to try to determine this information.
Off to jail! (Score:2)
I'm looking forward to everyone involved getting sent to jail for HIPPA violations! ;)
Data Brokers are the problem (Score:4, Insightful)
This is part of a bigger problem. See http://money.cnn.com/2013/12/1... [cnn.com] It's possible to *BUY* lists of rape victims, HIV sufferers, police officers, etc, etc. This data shouldn't be available in the first place.
The problem is that this data is sometimes used to determine whether you get a loand or a job, etc, etc. It's bad enough that you can be denied a loan or a job for something irrelavant. What's horrifying is that these lists often have major errors http://money.cnn.com/2013/09/0... [cnn.com] which may play a part in denying you loans or jobs.
SSN (Score:3)
Re: (Score:3)
And it's all linked by SSN. If every industry were using their own identifiers instead of the SSN then a few isolated data loss events would be less significant. It's time the government came up with a better identifier, and mandate that it only used it for government purposes.
The problem seems to be that SSN is used by folks for authorization in addition to identification. If the government made it illegal to use SSN in any way for any part of an authorization process and enforced this with severe penalties, say 1 year of jail time and 1 million dollars for each C-level executive in the company per SSN involved, the problem would go away. I don't think it is really so much of an issue to use it as an identifier or linking number, it's just that possession of a SSN number should
Wrong. (Score:4, Insightful)
"Databreaches.net, which investigated the breach with ZDNet, believes this as a teachable moment. "Before you give your personal or health insurance information to telemarketers or firms that call to offer you supplies for diabetes or back pain or other conditions, think twice."
I have a simpler takeaway: nobody should ever buy anything from any telemarketer, ever. I can't wait until we, as a society, treat "buying from a telemarketer" as a universally-recognized obviously bad decision, right up there with "chewing some gum you found stuck under a table." Seriously -- fuck them and all their ilk. They are parasites, but nobody ever is going to have the balls to just ban them, so the next best thing is if it just becomes simply impossible to make any money in that business.
AT BEST, they are selling some shit you probably don't need, AT WORST -- and, in fact, IN GENERAL -- they are selling products that are of dubious value, if not outright scams. God knows there's enough advertising in the world, so it's basically impossible for there to be a product you haven't heard of. In the off chance that they're selling something you need, you can get it elsewhere. I don't know of a single product that telemarketers have a monopoly on.
I have a simple phone rule: I don't answer unrecognized numbers. If an unrecognized number is a legit call, they can leave a message. If they don't, I don't need them. Period. All that's left to do is delete the occasional "THIS IS AN IMPORTANT MESSAGE FROM INTERNAL REVENUE SERVICE" scam robocall.
Re: (Score:2)
I do this as well, people get annoyed I am not "contactable" if they are not in my address book, I don't give a shit. People who know me well, know how to get hold of me. Everyone else can go to voice mail. Which I don't ever check. If it's important to me, you should know the right channels to contact me. If you don't, well then it can't be very important to ME. It might be important to YOU, but that is not the same thing in my book.
"Think Twice" is not useful (Score:2)
Sooo tired of articles telling me to think twice - hardly useful. Why not offer some real advice before hitting 'Post'? Are you afraid to think once?
Punish Them! (Score:1)