Backup Tapes With 2 Million Medical Records Stolen

Lucas123 writes "A vehicle used by an off-site archive company to transport patient data was broken into on March 17. The University of Miami just made the theft public last week, saying the thieves removed a transport case carrying the school's six computer backup tapes. On those tapes were more than 2 million medical records. In fact, the archive company waited 48 hours before notifying the university itself. A University spokeswoman said the school has stopped shipping backup tapes off-site for now."

Easy case

[plover (150551)]

This case should be pretty simple to solve. Just track down whoever buys a 9-track tape reader off eBay in the next month and nail him to the wall.

Re:yes but what's the value

[Jhon (241832)]

Why would someone steal the tapes? What is there value.

What would YOU pay for 2 million social security numbers?

Re:yes but what's the value

[WaltBusterkeys (1156557)]

Why would someone steal the tapes? What is there value.

From TFA: The stolen backup tapes hold names, addresses, Social Security numbers and health information

On the black market these days, a full identity (name, SSN, address, bank information, etc) can go for $14 each [washingtonpost.com]. If the tapes had full identities, that's 2 million x $14 = $28 million payday for a bunch of crooks. Even assume a "volume discount" for these guys and they're still in the many million dollar range. Even if it's just name, address, and SSN there's some value on the black market for these tapes.

When you're breaking into a vehicle filled with stuff that looks like computer equipment, it's hard to know whether the data is going to be social security numbers (valuable), credit card numbers (valuable), medical records (valuable if there's addresses and SSNs), or routine corporate records (not all that valuable). Enough data brokers [reputation...erblog.com] are sloppy enough with their security that there's a good chance to get some identity information that has value.

These guys were either extremely lucky or knew exactly what they were doing. Or they're complete idiots who are wondering why these tapes won't play on their 8-track player.

Re:

[Digestromath (1190577)]

Not to mention there is also the potential for blackmail. If anyone on the tapes has a serious, publically undisclosed, and socially stigmatic medical condition its ripe.

For Example: Alot of people don't want to publically share that they have STDs etc. Especially not if the files are cross linked with a list of their sexual partners.

While sale for identity fraud would most likely be the most profitable, there are alternative uses for this data. Given the enterprising nature of most criminals, this is

Doesn't modern tape backup software encrypt data?

[Futurepower(R) (558542)]

"On the black market these days, a full identity (name, SSN, address, bank information, etc) can go for $14 each."

Good answer. Next question: Doesn't all modern tape backup software encrypt all data?

Even my personal DVD backups are encrypted automatically.

TFA does NOT say they were encrypted

[Skapare (16644)]

There's nothing in the article that says they were encrypted. They were compressed and some kind of encoding was involved. But encoding could be any number of things, and quite possibly the coding used by medical records systems to compact common terms to numbers. It could be hard to make use of the data. But if it was an "inside job", or the perps can get the software used on this, it can be cracked easily. This is not strong encryption.

Re:

[guruevi (827432)]

I work at a University with a large medical site/hospital/research and I've worked in several businesses that have to have HIPAA or SoX compliance. The laws state and the legal advisors make sure you know this: if your data was encrypted and then lost disclosure is not mandatory and thus the agreement of the employer then takes over, if you disclose it anyway, you lose your job.

Another example: If you have a database, it is sufficient to only protect/encrypt one of the (i think it's five) identifiers to be

Re:

[frdmfghtr (603968)]

In this day and age of "Information Warfare" you should consider every system for moving data vulnerable and take measures to ensure that attempting to steal that data would be more work than what it's worth.

In the case of physically moving backup high-value drives/tapes to off-site storage, that would mean an armored courier. That data is money to somebody, so protect it like money. Sure it's more expensive that the local Speedy Messenger cargo van, but so is losing control of the data.

Yeah, but ...

[CustomDesigned (250089)]

Complete idiots don't read Slashdot. Oh, wait ...

Crooks hoping for physical, got useless tapes

[spineboy (22918)]

More often than not, homeless people, and petty crooks just steal AYTHING out of cars hoping to get pennies on the dollar for whatever they stole. A nice looking, shiny case was probably thought to have some nice stuff in it, other than tapes. I bet the tapes are in some sewer drain or dumpster by now, and the case is being pawned for 5 dollars.

Hmm.

[Ethanol-fueled (1125189)]

From TFA:

After learning about the data breach, the university contacted local computer forensics companies to see if data on a similar set of backup tapes could be accessed. Menendez said security experts at Terremark Worldwide Inc. "tried for days" to decode the data but could not because of proprietary compression and encoding tools used to write data to the storage tapes.

Proprietary compression and encoding tools? the article reeks of FUD but proprietary technologies still aren't without their faults...but eh, it's not like they used this "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" [wikipedia.org], right?

Re:Hmm.

[by Anonymous Coward]

When questioned further, Terremark employees answered, "what's EBCDIC?"

*Still* no encryption??

[DigitAl56K (805623)]

There needs to be a law regarding data encryption. Virtually every time data is stolen, be it on CDs, laptops, backup tapes, missing hard drives, and so forth, it is not encrypted. In fact, I can think of only one case that has made press in the last 4-5 years that I can remember encryption being used to safeguard the data.

Transporting confidential data off-site via any medium, including the Internet, without industry-recognized encryption (not something that is proprietary and untested) ought to be a criminal offense with severe penalties.

TFA talks about proprietary compression and encoding and not about encryption. I simply do not believe that it is difficult to recover that data - whatever proprietary software wrote those files can be obtained from somewhere for a price. You can probably Google the file extension or some information in the header to determine the format and/or software.

"The university feels confident that the person who took [the tapes] doesn't know what they have."

They do now!

"Even though I am confident that our patients' data is safe, we felt that in the best interest of the physician-patient relationship we should be transparent in this matter."

That data is not safe. At best it is in an obscure, but not secure format.

It's incredible, really. Since TrueCrypt 5.0 arrived,I don't even carry my work laptop or flash drives around without either full disk encryption or encrypted container files on them, and they do not contain anything as sensitive as 2 million medical records.

Re:*Still* no encryption??

[WaltBusterkeys (1156557)]

You can probably Google the file extension or some information in the header to determine the format and/or software.

Not everything is on Google. If we're talking tapes, we're probably talking old mainframe-level systems. That means the problem might even be at the level of accessing the tape at all. The data coming off the tape is still just a string of ones and zeroes to them.

This isn't a question where they've got a file sitting on their desktop called "Data.abx" and all they need to do is figure out what program creates an ".abx" file. In all likelihood, there's an old custom or semi-custom mainframe system that wrote this to the tape that didn't format in FAT32. (Nor would it make sense to even both with a filesystem on this type of backup system -- you're not backing up files, you're backing up a database.) From looking at a stream of data dump, there's no way to immediately make sense of it. If there's no file headers, there's not as much of a clue as to where to start. It just looks like an endless string of hex (2 million records is a lot of data).

Somehow I doubt that this is just an Access file, sorry. Or even a SQL dump. They're not complete idiots.

Re:

[Xtravar (725372)]

Somehow I doubt that this is just an Access file, sorry. Or even a SQL dump. They're not complete idiots.

Chances are, since it's a health system, it probably uses a post-relational database, typically of this variety: http://en.wikipedia.org/wiki/MUMPS [wikipedia.org]

Which means the file format could be anything...

I'm just glad they're not our customer. 8-)

Re:

[urcreepyneighbor (1171755)]

They're not complete idiots.

Famous last words. :)

Always assume the person is a complete idiot, unless proven otherwise.

Re:*Still* no encryption??

[jimicus (737525)]

Why would you still use antiquated mainframes for your backups, particularly if it's 2 million records? If something happened at your site you'd need a similarly antiquated mainframe just to get your data back. That makes very little sense.

Three reasons:

1. It works.

2. IBM (assuming they are using IBM kit) mainframes are still being built today, and while they're totally different internally to the systems of 30 years ago, they're still compatible.

3. This is what companies like SunGard and IBM (yes, they have a DR consultancy team) specialise in. You tell them what equipment you'll need in a disaster recovery scenario, they agree to loan it to you. In which case, who cares how old the system is?

Re:

[jimicus (737525)]

I knew that I would see a post saying something like this.

Yes encryption is a great thing and should be used all the time, especially on laptops. Well actually, there is one time when it *shouldn't* be used (or at least, not automatically). Want to know when that is?

For backups.

THANK YOU. I'm glad I'm not the only person who thinks this.

The backup software I use (http://www.bacula.org - a fantastic piece of work) does have the facility to encrypt everything.

But I've considered the risk to the business in the event of tape loss versus the risk to the business in the event that we can't decrypt the data because for whatever reason the office has burnt to the ground and the offsite copies of the keys aren't recoverable.

I concluded that if it's a choice between explaining a lost tap

Re:

[ColdWetDog (752185)]

Bah, I would disagree. And IAAP (I am a physician) - who has worked in IS intermittently for decades.

First, if your recovering from an off site backup tape, something went down and it's going to take a while to get it running again. Decrypting can't add much more than 20 - 30% (number pulled from appropriate nether region) to the time. If it does you need to upgrade those C-64's you're using in the server room.

Second, if the data is bulk stuff going off site, it's obviously not a primary rapid-respons

Do not panic

[Psychotria (953670)]

A University spokeswoman said the school has stopped shipping backup tapes off-site for now."

Well, I am sure that makes everyone sleep a little easier tonight--it's obviously all under control.

Even better

[Psychotria (953670)]

"The university feels confident that the person who took [the tapes] doesn't know what they have. Even if they do know what's contained inside, it's very difficult to extract that information," remarked Menendez.

I am sorry Menendez, but difficult for who exactly. Your school is not unique, nor is it the pinnacle of knowledge (no school is). If we could decrypt things 50 years ago, how is a "compression" method hard to work out?

2 million records, or people?

[pclminion (145572)]

The article is very careful to phrase it as "2 million medical records." I somehow doubt that this means the medical records of 2 million separate individuals -- if it did, surely the news outlet would have said so, as it is much more dramatic. I bet a "medical record" is a single row in the database, and what was really stolen was a DB with 2 million records (as in "rows") in it. I seriously doubt the medical records of 2 million people are all collected on a single set of tapes.

Old school

[LoudMusic (199347)]

Tape is so last millennium. Anybody who's anybody backs up to hard drives across the internet.

Re:

[DigitAl56K (805623)]

All they need to do is create a TrueCrypt container or the like and write the data to be backed up into it before copying it to the archival medium. Then you don't need an armored vehicle, or even a stun gun. You could literally walk down the street with a disk in your hand inviting people to steal it, because it wouldn't matter at that point - the data is secured to such a degree that it is questionable whether even the government could access it. Of course, you wouldn't handle the archive that way regardl

In 2025 those will still be valid SS numbers

[plantman-the-womb-st (776722)]

Get your most closely kept personal thought:
put it in the Word .doc with a password lock.
Stock it deep in the .rar with extraction precluded
by the ludicrous length and the strength of a reputedly
dictionary-attack-proof string of characters
(this, imperative to thwart all the disparagers
of privacy: the NSA and Homeland S).
You better PGP the .rar because so far they ain't impressed.
You better take the .pgp and print the hex of it out,
scan that into a TIFF. Then, if you seek redoubt
for your data, scramble up the order of the pixels
with a one-time pad that describes the fun time had by the thick-soled-
boot-wearing stomper who danced to produce random
claptrap, all the intervals in between which, set in tandem
with the stomps themselves, begat a seed of math unguessable.
Ain't no complaint about this cipher that's redressable!
Best of all, your secret: nothing extant could extract it.
By 2025 a children's Speak & Spell could crack it.

You can't hide secrets from the future with math.
You can try, but I bet that in the future they laugh
at the half-assed schemes and algorithms amassed
to enforce cryptographs in the past.