Medicaid Hacked: Over 181,000 Records and 25,000 SSNs Stolen 181
An anonymous reader writes "The Utah Department of Health has been hacked. 181,604 Medicaid and CHIP recipients have had their personal information stolen. 25,096 had their Social Security numbers (SSNs) compromised. The agency is cooperating with law enforcement in a criminal investigation. The hackers, who are believed to be located in Eastern Europe, breached the server in question on March 30, 2012."
Too bad for the crooks that the people are poor. (Score:3, Interesting)
Medicaid is for poor people. stealing their identity won't gain them access to much money. However the SS numbers might be useful for illegal alien ID cards.
Re: (Score:3, Insightful)
Medicaid is for poor people.
TFA quotes:
25,096 appear had their Social Security numbers (SSNs) compromised
... many of them feel violated
“But we also hope they understand we are doing everything we can to protect them from further harm.”
Poor people... have their SSN compromised, feeling violated (bordering to "raped" in one meaning of the term) and asked for understanding with promises of "best effort" towards a better future.
However... are the East European hackers the primary cause of their situation?
Re: (Score:2)
Medicaid is for poor people.
TFA quotes:
25,096 appear had their Social Security numbers (SSNs) compromised
... many of them feel violated
“But we also hope they understand we are doing everything we can to protect them from further harm.”
Poor people... have their SSN compromised, feeling violated (bordering to "raped" in one meaning of the term) and asked for understanding with promises of "best effort" towards a better future. However... are the East European hackers the primary cause of their situation?
That's a rhetorical question and you know it. It would be better for you to answer it yourself.
Somebody raised the question [slashdot.org] in a non-rhetorical manner. A suggestion of my position in this matter [slashdot.org]. If you'd like, let's close this thread and continue the discussion on the other one.
Re: (Score:2)
... many of them feel violated
Welcome to the TSA plus Obamacare? Bringing the air traffic experience to medicine.
Sorry mate, not here. For Obamacare there's a special thread [slashdot.org], with the special note that the thread is modded Offtopic.
Re: (Score:1)
Welcome to the TSA plus Obamacare? Bringing the air traffic experience to medicine.
Obamacare, Romneycare, what's the difference?
"The two laws are, in the words of Jonathan Gruber, who helped design both the Romney and Obama plans, “the same fucking bill.”
Now go fuck off and spread your uninformed opinion somewhere more appropriate, the sewer for example.
Re: (Score:3)
Re: (Score:2)
Well duh, my new crime-as-a-cloud service can now offer a feature that screens these people from your card lists, at only half the cost of the traditional merchant-account leasing service.
Re: (Score:3, Funny)
It's too hard. I give up! What's the answer?
And who will be held responsible? (Score:5, Insightful)
No one!
Re:And who will be held responsible? (Score:5, Insightful)
Re:And who will be held responsible? (Score:4, Funny)
The cynic in me says the hackers will be held responsible.
Seconded.
FTFA adjusted with a link
Director Michael Hales said in a statement. “But we also hope they understand we are doing everything we can [despair.com] to protect them from further harm.”
As they should be (Score:5, Interesting)
You should not hack in to systems you don't have permission to access. It is illegal, for the same reason it is illegal to break in to a house you don't have permission to access. It doesn't matter if you are capable of doing it, you shouldn't do it. Thus if you do, expect to be held criminally accountable.
This idea of blame the victims don't blame the criminals that so many on Slashdot have is stupid. Fine, I'll be ok with that so long as you are ok with it applying to the real world. You are ok with me being legally allowed to break in to your house, so long as I am able.
Thing is, I'd be very able. Your physical security is shit, as is everyone's. Individuals never bother with good security. You'll have a regular lock that is vulnerable to bumping, ice picking, and so on. That aside a shotgun with door breaching rounds will take it off the hinges no problem since you have no reinforcement on them. Your walls are probably made of drywall, wood framing and stucco, so a Sawzall can easily take care of that.
You don't choose to spend the time money or effort to secure your house further... Nor should you have to. Yet you think that if people don't have perfect computer security, well someone should be allowed in.
Also this is funny because show me this perfect security. Kernel.org was hacked, gnu.org was hacked, GitHub was hacked, BIND was hacked, and so on. So it isn't like just being open source and all that makes you immune. It seems that security holes happen, and that is just life.
Re: (Score:3)
Re:As they should be (Score:5, Insightful)
"Your physical security is shit, as is everyone's. "
No one is arguing that hackers who hack into a system and subsequently either damage the system or leak confidential information from the system out onto the rest of the Internet (or communicate that information to people other than employees of the company to report it to them to fix it) shouldn't be held accountable. They absolutely should.
But there is a huge difference between a residential house (my computer with my info on it) and a bank (a service provider). When I go to a bank, I don't see them leaving unguarded money out in the open for anyone to easily grab. No, they have safes, they have bullet proof glass, they have cameras, they have security guards, they have security switches to alert cops of a robber, they have all sorts of security. Even liquor stores are careful with money, having those huge armored vehicles transporting money from place to place. We expect and require them to take measures to ensure your money is safe.
A service provider is like a bank of information, they should also hold some responsibility and accountability if they store your personal information in such a way that it can easily get hacked into.
and corporations are part of the problem as well. Historically, white hat hackers used to report security vulnerabilities to corporations long before leaking them on the Internet. A while back I remember someone reported a 2wire vulnerability to 2Wire and they did absolutely nothing about it for six whole months before the person who discovered the vulnerability communicated it over the Internet and 2wire finally fixed it with a firmware upgrade (due to public pressure). Many times when people communicate vulnerabilities to corporations privately they simply ignore them. Or they sue. So now people no longer put up with that and they simply leak the information onto the Internet. Which, in some ways, is even better than allowing this information to be kept secret and discovered by black hat hackers who will buy and sell it in the black market and use it nefariously against unsuspecting victims. because by the time a white hat hacker who doesn't profit as much from discovering the vulnerabilities discovers them, chances are black hat hackers who stand to profit (and are hence far more determined to discover these vulnerabilities) already have. Black hat hackers who know very well how to get away with what they do. So in some ways it's better that the vulnerabilities and potential victims be made aware of the vulnerabilities early so they can respond before something happens.
IIRC, Google will even pay a white hat hacker to privately report a vulnerability in its system so they can fix it. That's how security should work. We're not just criticizing that these corporations make mistakes and allow vulnerabilities to exist in their systems. We're also criticizing their response when a vulnerability is privately reported. That needs to change.
Re: (Score:3)
(and black hat hackers who are also likely considerably more experienced at finding these vulnerabilities than white hat hackers and so they are better at it).
Did they extend the black belt ranking to hats as well?
Yeah! And the same with banks! (Score:2)
Banks don't need security once we get over this "blame the victim" mentality.
After all, I'm sure we all store thousands of social security numbers at home.
Re: (Score:2)
After all, I'm sure we all store thousands of social security numbers at home.
The hackers might. And maybe even at your home ;).
Re: (Score:2)
After all, I'm sure we all store thousands of social security numbers at home.
well, now someone does.
Re: (Score:2)
After all, I'm sure we all store thousands of social security numbers at home.
well, now someone does.
I bet the security of the system on which they store the SSN-es is better than the Utah Department of Health's one.
Re:As they should be (Score:5, Informative)
This idea of blame the victims don't blame the criminals that so many on Slashdot have is stupid.
I don't see this much. I see a lot of blaming the criminals and those who made it easy for the criminals.
That B is responsible too doesn't take any blame away from A. Just like if your handyman forgets to lock the door, it doesn't make the burglar any less responsible; it only adds blame to the handyman.
Remember, the victim here isn't the Utah Department of Health, it's the users of the services. The Utah Department of Health gets some blame too, not instead.
If any of the victims are to blame for anything, it's voting for a system that puts everything to the lowest bidder, making shit like this common occurrence and impossible to safeguard against.
Re: (Score:2)
This idea of blame the victims don't blame the criminals that so many on Slashdot have is stupid. Fine, I'll be ok with that so long as you are ok with it applying to the real world. You are ok with me being legally allowed to break in to your house, so long as I am able.
"Waahh waahhh I left my front door unlocked and someone stole my valuables!"
Thing is, I'd be very able. Your physical security is shit, as is everyone's
If I kept enough information to hijack hundres of thousans of identities in my home, I would beef up my security.
Also this is funny because show me this perfect security
Who said anything about perfect security? The problem is that most attacks exploit the same security problems that have been exploited over and over and which people have been warned about over and over again. The fact that techniques for securing information exist and go unused is the problem here; there are crim
Re: (Score:2)
And in all of those cases, the victim was considered responsible, having done a dumb thing.
I don't think anyone is saying criminals are responsible for their crimes; it's that if our government knowing puts data in a situation where it's easily compromised, they share blame too.
If government were to legalize drunk driving and then people got killed as a result of drunk drivers, yes, the drunk drivers would bear b
Re: (Score:2)
Mate, you forgot to post a whinge about insta-downmodding [slashdot.org]... how can you get that sloppy lately?
Re: (Score:2)
There is no "+1 Facts". Unless facts are interesting, insightful or otherwise bring something positive to the discussion, they don't deserve a modding up. And if they are written solely to enrage others or illicit a response, they deserve "-1 Flamebait" or "-1 Troll".
What I want now is a heuristic filter that will downmod any post that appears to be a list of posts, links, or quotes with bolding. That would increase the signal to noise level here, because quite frankly, these irrelevant lists are NOISE.
Re: (Score:2)
he wasn't rated "off topic" for it, but I was... please, give us a break: Keep making this site & it's bogus moderation system look worse than it is... you only make my case for me doing that!)
Wish granted, here's the one for you: Guys, you are allowed to take a break!
Offtopic, I know, but I must admit that the whinge was exquisite, mate (hear this one: LMAO... and this: you only make my case for me doing that!) Brilliant, I tell you... absolutely brilliant, sincere thanks for it. In return, I'll tell you that life isn't supposed to be fair, but at most interesting enough to worth living - and you should see what's happening here as very interesting... nay, scratch that... intriguing at its most
Re: (Score:2)
We must stop pretending SSNs are secret! (Score:5, Insightful)
We have to stop pretending that the SSN is something only the owner knows. It cannot be an identifier and a password at the same time. It's because of our retarded system that SSNs are such a juicy theft target. Other countries have similar personal identification numbers and no rampant "identity theft" problems like we have here in the US.
Simply put, someone should not be able to pretend they are you just by knowing your SSN and name and date of birth. All should be public info and not security questions. Someone can't go in and get a loan just because they found my name in the phone book, it should be the same with the SSN. Leave it be an identifier and only an identifier. The cat's out of the bag with the secret part.
Re: (Score:2)
By owner, do you mean "government"? As the person identified by such a number, I am powerless to determine the use of that number and meanwhile, to live a "normal life" that doesn't involve putting everything I can carry into a shopping cart and sleeping on park benches, I have to surrender this "secret" to every business and government agency everywhere. And we were "told" the social security number was just for tracking your social security account. Instead it's also your Tax ID (yeah, I know you can r
Re: (Score:1)
Of the card or of you?
Re:We must stop pretending SSNs are secret! (Score:5, Insightful)
I have no idea what you mean by "owner".
The government assigns them. Each number is supposed to uniquely identify a citizen and is used mostly for SS (and a few other governmental uses). So far so good; the government assigns them and (apparently) uses them appropriately as a unique ID number.
Now we have dozens of private businesses using them as a password. Fine, I guess it's a free country. But somehow, if someone finds out my number and uses it to open a loan in my name, *I'm* liable for the loan. It's my phone that rings with creditors and my credit score which is damaged. It seems to me that the problem is these corporations which use these numbers as passwords but disclaim liability for fraud. Make it clear that financial institutions have the liability for bad loans they originate, that bad credit reports MUST be cleared unless the financial institution can prove they are true, and that there are very strict penalties for companies which abuse these rules, and the "identity theft" problem will vanish very quickly.
Re: (Score:2)
I have no idea what you mean by "owner".
1. However can sell or donate it.
2. Or, not exactly owning, but here's a quote from the "future history":
He who can destroy a thing, controls a thing
Following the first definition: whatever entity you used your SSN number with... (employers, tax office, your local pharmacy and possible big-pharma, the Utah Department of Health).
Following the second definition: hackers in East Europe, no-such-agency's data center in Utah, men-in-black, etc
Re:We must stop pretending SSNs are secret! roxy (Score:1)
I agree! If a bank or company gives someone a loan based on a name, birthday, and SSN, then it is the bank's fault. Because they did not take steps to properly verify who they gave money to, it is the bank's fault. I was not involved in anyway. Any damage to my credit rating and the time I spent cleaning things up, the bank must reimburse me for.
I have been notified twice that my info was stolen from university servers, so they gave me one year free credit monitoring each time. The info is still valid after
Re: (Score:1)
- refused to use the internet
- lined his house in chicken wire/lead drywall
-I stopped talking to when he called me the enemy for working for a wireless internet company
He spoke of a day when we would all have the choice to take a national ID with a smart card and register our finger prints or be denied all government services.
errr..
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If someone is using your SSN to pretend to be you, because it's considered "identity theft" it becomes mainly YOUR problem.
Whereas if it's considered fraud, then it's no longer really your problem but that of the Bank or other Organization that's been tricked.
Then they'd have more motivation to not be tricked so easily - and they are the ones who shouldn't be tricked so easily.
Whereas you have no reasona
Re: (Score:2)
We could get there a lot faster if we stopped recognizing identity theft as a crime. The crime being committed is NOT identity theft against individuals, it is the crime of fraud against the banks followed by the crimes of fraud and extortion by the banks against the individuals.
Ethically, it should not matter one bit that BozoBank thinks they loaned me $1,000,000. What should matter is that they have no evidence whatsoever that I am the person they foolishly handed a wad of cash to without adequate verific
Re: (Score:1)
There ought to be a security certification (Score:3)
There ought to be a security-related certification, along the lines of CMMI Level X, for websites that want to put sensitive information online. A group goes in and audits the network and the office, does penetration testing, and gives you a rating based on corporate practices, user knowledge and potential and actual weaknesses.
Before these sites feel like they can put up my social security number and health records behind passwords like admin/admin, or allow contractors to download entire social security databases and leave them on USB drives or laptops which can be/are stolen, they should first obtain some minimum level of security-related competence certification.
Re: (Score:1)
There ought to be a security-related certification, along the lines of CMMI Level X, for websites that want to put sensitive information online. A group goes in and audits the network and the office, does penetration testing, and gives you a rating based on corporate practices, user knowledge and potential and actual weaknesses.
Before these sites feel like they can put up my social security number and health records behind passwords like admin/admin, or allow contractors to download entire social security databases and leave them on USB drives or laptops which can be/are stolen, they should first obtain some minimum level of security-related competence certification.
There is. FISMA.
Effective technology (Score:2)
Re: (Score:2)
The vendors push the failure risk onto the consumer. X number of failures/compromises is going to be miserable for the individual, but the corporation is able to keep making a net profit from it. Until the cost of failure becomes significant for the corporation, outweighing the benefits from using the online system, they'll stay with their current business model.
This is true of any consumer product.
Headlines? (Score:5, Insightful)
Okay, Slashdot seems to be getting worse and worse about distorting things in the titles of the topics. "Medicaid Hacked" is NOT what happened here. Not even close. And when the first line of the topic's body is "The Utah Department of Health has been hacked," then you can't even excuse the poster as having been a little confused; it's flagrant tabloid-like sensationalism. Cut it out, already.
Re: (Score:3)
Note the name of the submitter of the article and then ignore in future. You'll find /. much more fun then.
Re: (Score:2)
An anonymous reader?
Better yet note the name of the poster.
Re: (Score:2)
Re: (Score:2)
The people's social security numbers were compromised...should we say that Social Security got hacked? Hey, when Global Payments got breached, does that mean that Visa and MasterCard both got hacked? No. Because when you refer to just "Visa," you refer to the organization that underpins Visa cards...and saying that they got hacked refers to an organization that is entirely different and separate. The fact that some of the people who got hacked were on Medicaid (the others were on CHIP) does not mean tha
Re: (Score:2)
I didn't RTFA, and was under the impression that the Utah Dept of Health was breached but it only affected Medicaid recipients - which makes it the largest meaningful unit of Medicaid that can be hacked.
SSN should not need be secret (Score:2)
Because de-facto its not. So we shouldnt assume that its secret and never use it as means of authentication. About as secret as your zip code.
In other words, if a bank gives out a load based on SSN alone, let _them_ hold the bag on it.
How long do you think SSN theft will remain profitable after we do that?
Re: (Score:3)
Re: (Score:1)
not exactly. the're using zip code to deter a very specific case of drive-by CC test, popular among CC thieves. its not meant to be perfect. if zip code wasnt available they could just as well have used the street number of your billing address.
Utah IT pro (Score:1)
Password: Admin
Online records "hindenburg moment?" (Score:5, Insightful)
I wonder if at some point there will be a breach so bad that certain critical records will be moved to airgapped systems and never go back, just because of the horrible memory of that disaster.
Re: (Score:1)
"Oh the humanity" -- what happened with the Hindenberg was /not/ that airships were fixed, but that they were abandoned.
Let's try for a different kind of moment, perhaps? Although I do like the poetry of an acrobat leaping from the inferno.
Re: (Score:2)
what happened with the Hindenberg was /not/ that airships were fixed, but that they were abandoned.
Let's try for a different kind of moment, perhaps?
No, let us not. Abandoning the use of centralized databases is the only fix - airgapping just protects against remote attacks. It does not protect against abuse by insiders, be it in violation of the rules, or the creation of new rules that encourages official misuse of the data.
The solution is to decentralize. Let everyone hold their own data. Be it on a portable device like a pda/smartphone or on some sort of dropbox-like system with account-specific encryption. The idea being to maintain as much use
Re: (Score:2)
No, thhe solution io much easier. Just block access to all IP addresses not registered to Utah. For the few users outside the state, exceptions can be set up.
Re: (Score:2)
Maybe. But the simple fact is that measures like blocking entire IP blocks makes it much harder to break into such systems unpunished.
Local bad guys are so much easier to track down and bring to justice.
Besides - I don't get why anyone in China or Eastern Europe needs to be able to access Utah's Medicaid. So just shut down access
from foreign IPs by default to most sites.
Re: (Score:2)
Re: (Score:2)
I wonder if at some point there will be a breach so bad that every single identity will be stolen, and there's nothing left to protect.
These hacks wouldn't matter... (Score:5, Interesting)
Re: (Score:1)
Re: (Score:1)
In my 20s I had income of under $13k, but credit lines totaling $110k. My mother in her 70s and income under $10k got a $15k line on a credit card.
Now imagine the damage an identity thief would do to a person making under $20k, by simply getting 4x cards $5k apiece. Or imagine the long term con, where initially the thief pays off the debt to build better credit so they can steal larger amounts.
Re: (Score:1)
Get one credit card to make purchases, then second to make monthly payments on the first, and then a third to make payments on the second, and so on and so on....
So? (Score:2)
Re: (Score:2)
Its then used, sorted, sold on by persons or groups interested in unique or state wide data.
Payback time already? (Score:2)
http://yro.slashdot.org/story/12/04/08/1850249/innocent-or-not-the-nsa-is-watching-you [slashdot.org]
Could be related, considering they're in the same state. Maybe the attackers wanted to hit home and hit hard.
In other news... (Score:1)
Big Deal (Score:1)
Relax! (Score:2)
I know it sounds crazy, but remember: You can't spell insane without the NSA.
insane (Score:1)
virtual server (Score:2)
Also, it is long past time to push
I just don't know... (Score:2)
Is it wrong that my first thought-- after "Oh good, it's not HERE." --was to wonder why the hell someone would hack the medicaid records for Utah? I mean, really. Utah?
Wow (Score:1)
We need this to be universal !
Why would you want these peoples' info? (Score:1)
Re: (Score:1)
Re: (Score:2)
What part of America is Europe in?
Why, that's obvious! You know that Europeans speak French, don't you? Therefore it must be a parish somewhere in Louisiana. Failing that, it's sure in Canada.
Re: (Score:1)
Because without "Obama-care" government agencies would not have your social security number?
Re: (Score:1)
Re: (Score:2)
Re:One more reason against Obama-care (Score:4, Insightful)
What's the "Most religious state?" [thenewamerican.com] What's the most Republican state? [gallup.com] What state can't host the Olympics [wikipedia.org] without embarrassing the USA with their corruption? What state lost $2.5M [sltrib.com] to stupid Nigerian "You have been selected to win $100M dollars!" scams? What state bans effective sex-ed? [rawstory.com] Banning D&D in public schools... polygamy... and these people are too innocent to know that the religious right GOP crowd they want to join knows for sure that every Mormon will burn in Hell.
And after yet another epic f--kup, I have to listen to posts like this... on an article about how Utah can't keep track of their Medicare records, and this somehow is an opportunity to blame Obamacare? Give me a break.
Re: (Score:2)
What state lost $2.5M [sltrib.com] to stupid Nigerian "You have been selected to win $100M dollars!" scams?
Nooo! No way. You are kidding me. That cannot be serious.
Re: (Score:2)
Yes, you are correct. One of my best friends is a conservative Mormon, and being Unitarian, I'd be ashamed to belittle others for their faith, though stupid political beliefs are fair game. I don't believe Mormons are higher or lower on the Holy Ladder, but I read the Book of Mormon (my friend gave me a copy), and I read that the innocent people who had not read the book are still possibly going to Heaven, but now that I've read it and did not convert (I'm still Unitarian), I am in fact quite clearly bann
Re: (Score:1)
How about both of you trying acting like adults?
Ooooh muuum... but it is him that started first!
(ducks - mod me offtopic, but I couldn't resist)
Re: (Score:1)
Re: (Score:2)
It's another government boondoggle [despair.com].
FTFY by including the proper citation (and attribution).
Re:if you can't beat them (Score:5, Interesting)
I work for a hospital and previously I worked for a start-up that did cutting edge medical technology. And let me tell you the insurance companies IT is just pure insane and stupid.
The government pushed a new electronic Bill form called 5010 which is an upgrade of 4010. These billforms are sent via EDI (Kinda of a Star Deliminator with a Tilda line feed, a throw back to old punch card technology) the difference between 4010 and 5010 are for the most part minor, and these changes were due January 1st. We are now in April. Now most of the insurance companies are compliment but there are other who are not, their test environment and production are very different and the test will allow different rules then production. So when a Hospital goes live after testing and getting clean tests they get rejection after rejection because they are not sending the right rules to the insurance company.
Then they stick to the lie (The electronic format has the same data as the paper form) this is a Lie and absolute Lie! You call them on the lie and they will flat out deny you. Until you send the data and they reject you claims because there is data that isn't on the paper form, and some filds are on the paper from you Cannot fill in the electronic. Their checking system is insane. If they don't need that field you better not send it or your claim will get rejected.
Now lets go over the transmission to the insurance companies...
Method one. The old BBS. Yes thats right the old dial up BBS is still active. when writing scripts to automate connecting to the companies I see those old DOS base BBS's of the olden days, most of them have upgraded to allow ZMODEM transfer. Now the more modern one use Secure FTP. Secure FTP (not to be confused with sftp) as in you data channel is encrypted but not always your command channel. Or worse there are these VPN groups that many insurance companies get on where after you connect to the VPN then you normally FTP to the site... (where a rogue billing company can monitor the ports and see what goes on, because they happen to be in the VPN network)
Everyone worries about HIPAA violations from the Health Care organization. For the most part now health care organizations have fare more modern and secure systems then the Insurance companies do. And if there are going to be a hack it will be in the insurance companies.
Now you are going to say. This hack was with medicaid not a private insurance company. Well Medicare and Medicaid are operated by each state, and a lot of states in essence sold them off to an Insurance companies to do all the work. Because of the big numbers these companies often do it at a discount. However they will also cut corners to give more service to their higher paying premium customers. The reason why Medicaid and Medicare have the lowest percentage for administration costs, is because they are operated so lightly and push the work to the health care organization to do all the administration. Then they will pass the costs to their customers. And it make is that much more expensive because you have a bunch of smaller organization doing advanced administration who cannot do it as optimally as a larger company who can scale the administration costs.
Re:if you can't beat them (Score:5, Informative)
You say they are compliant. However, if they're rejecting claims because you're including information that they don't use, they're not compliant with the standard. From the X096/X097/X098 4010 837 transaction set implementation guides:
1.3 Business Use and Definition
...
Trading partners agreements are not allowed to set data specifications that conflict with the HIPAA implementations. Payers are required by law to have the capability to send/receive all HIPAA transactions. For example, a payer who does not pay claims with certain home health information must still be able to electronically accept on their front end an 837 with all the home health data. The payer cannot up-front reject such a claim. However, that does not mean that the payer is required to bring that data into their adjudication system. The payer, acting in accordance with policy and contractual agreements, can ignore data within the 837 data set. In light of this, it is permissible for trading partners to specify a subset of an implementation guide as data they are able to process or act upon most efficiently. A provider who sends the payer in the example above, home health data, has just wasted their resources and the resources of the payer. Thus, it behooves trading partners to be clear about the specific data within the 837 (i.e., a subset of the HIPAA implementation guide data) they require or would prefer to have in order to efficiently adjudicate a claim. The subset implementation guide must not contain any loops, segments, elements or codes that are not included in the HIPAA implementation guide. In addition, the order of data must not be changed. Trading partners cannot up-front, reject a claim based on the standard HIPAA transaction.
I don't have the 5010 guides, but I'm sure you'll find the same or similar language
Re: (Score:2)
Follow-up: On the other hand, if you're sending data that is defined as unused in the HIPAA (as opposed to the payer's) Implementation Guide, then they are correct in rejecting it as your transaction isn't compliant.
Re:if you can't beat them (Score:5, Funny)
Re: (Score:1)
Re:if you can't beat them (Score:4, Funny)
"Well Medicare and Medicaid are operated by each state, and a lot of states in essence sold them off to an Insurance companies to do all the work."
But private business always does things better than government agencies. The Republicans told me so!
Re:if you can't beat them (Score:5, Interesting)
Why anybody would wanna steal Medicaid ids is beyond me. To qualify for Medicaid you have to be poor. No way you'll be able to identity theft up a Gold Card with that info. If they weren't so broke they couldn't pay attention, they couldn't get Medicaid.
Re: (Score:2)
Yeah its like when I worked for our road authority we had a B2B link to pass road service jobs to a contractor. To test the link we put test in every field and the contractor still dispatched the job and billed us. They want to get paid, duh.
Re: (Score:2)
The teens' info would be useful for identity theft in a few years. I presume the records would include SSN, DOB, mother's name, etc. And if they were to die in the intervening years, maybe you could create a whole new persona (I don't know if Social Security is checked when issuing new docs, to see if people have died).
Re: (Score:1)
Why anybody would wanna steal Medicaid ids is beyond me. To qualify for Medicaid you have to be poor.
Because most of those people are old, living on fixed incomes, and are perfect targets for running a wide variety of scams. Just because their income is low does not mean they don't have other financial resources, for example savings accounts and many own their own homes. Many of them are also drawing social security, and with access to all their information payments could potentially be diverted, etc.
Re: (Score:3)
You're
Re: (Score:1)
Because poor people don't check for identity theft as diligently. And there are many easy ways to temporarily build credit up and take advantage of said poor people's credit. I mean stealing Bill gates ssn is next to worthless, but stealing john doe can net you hundreds of thousands if it;s used right.
Re: (Score:2)
Re: (Score:3)
The hackers, who seem to have bounced their final hop off location(s) in Eastern Europe...
FTFY
Re: (Score:2)
secure your servers.
We know already.
Sadly the world is full of idiot professional manager types who can't tell a prototype from a finished version. These are the people who need to know the risks they create by their idiot behavior.