Medicaid Hacked: Over 181,000 Records and 25,000 SSNs Stolen 181
An anonymous reader writes "The Utah Department of Health has been hacked. 181,604 Medicaid and CHIP recipients have had their personal information stolen. 25,096 had their Social Security numbers (SSNs) compromised. The agency is cooperating with law enforcement in a criminal investigation. The hackers, who are believed to be located in Eastern Europe, breached the server in question on March 30, 2012."
Too bad for the crooks that the people are poor. (Score:3, Interesting)
Medicaid is for poor people. stealing their identity won't gain them access to much money. However the SS numbers might be useful for illegal alien ID cards.
As they should be (Score:5, Interesting)
You should not hack in to systems you don't have permission to access. It is illegal, for the same reason it is illegal to break in to a house you don't have permission to access. It doesn't matter if you are capable of doing it, you shouldn't do it. Thus if you do, expect to be held criminally accountable.
This idea of blame the victims don't blame the criminals that so many on Slashdot have is stupid. Fine, I'll be ok with that so long as you are ok with it applying to the real world. You are ok with me being legally allowed to break in to your house, so long as I am able.
Thing is, I'd be very able. Your physical security is shit, as is everyone's. Individuals never bother with good security. You'll have a regular lock that is vulnerable to bumping, ice picking, and so on. That aside a shotgun with door breaching rounds will take it off the hinges no problem since you have no reinforcement on them. Your walls are probably made of drywall, wood framing and stucco, so a Sawzall can easily take care of that.
You don't choose to spend the time money or effort to secure your house further... Nor should you have to. Yet you think that if people don't have perfect computer security, well someone should be allowed in.
Also this is funny because show me this perfect security. Kernel.org was hacked, gnu.org was hacked, GitHub was hacked, BIND was hacked, and so on. So it isn't like just being open source and all that makes you immune. It seems that security holes happen, and that is just life.
Re:if you can't beat them (Score:5, Interesting)
I work for a hospital and previously I worked for a start-up that did cutting edge medical technology. And let me tell you the insurance companies IT is just pure insane and stupid.
The government pushed a new electronic Bill form called 5010 which is an upgrade of 4010. These billforms are sent via EDI (Kinda of a Star Deliminator with a Tilda line feed, a throw back to old punch card technology) the difference between 4010 and 5010 are for the most part minor, and these changes were due January 1st. We are now in April. Now most of the insurance companies are compliment but there are other who are not, their test environment and production are very different and the test will allow different rules then production. So when a Hospital goes live after testing and getting clean tests they get rejection after rejection because they are not sending the right rules to the insurance company.
Then they stick to the lie (The electronic format has the same data as the paper form) this is a Lie and absolute Lie! You call them on the lie and they will flat out deny you. Until you send the data and they reject you claims because there is data that isn't on the paper form, and some filds are on the paper from you Cannot fill in the electronic. Their checking system is insane. If they don't need that field you better not send it or your claim will get rejected.
Now lets go over the transmission to the insurance companies...
Method one. The old BBS. Yes thats right the old dial up BBS is still active. when writing scripts to automate connecting to the companies I see those old DOS base BBS's of the olden days, most of them have upgraded to allow ZMODEM transfer. Now the more modern one use Secure FTP. Secure FTP (not to be confused with sftp) as in you data channel is encrypted but not always your command channel. Or worse there are these VPN groups that many insurance companies get on where after you connect to the VPN then you normally FTP to the site... (where a rogue billing company can monitor the ports and see what goes on, because they happen to be in the VPN network)
Everyone worries about HIPAA violations from the Health Care organization. For the most part now health care organizations have fare more modern and secure systems then the Insurance companies do. And if there are going to be a hack it will be in the insurance companies.
Now you are going to say. This hack was with medicaid not a private insurance company. Well Medicare and Medicaid are operated by each state, and a lot of states in essence sold them off to an Insurance companies to do all the work. Because of the big numbers these companies often do it at a discount. However they will also cut corners to give more service to their higher paying premium customers. The reason why Medicaid and Medicare have the lowest percentage for administration costs, is because they are operated so lightly and push the work to the health care organization to do all the administration. Then they will pass the costs to their customers. And it make is that much more expensive because you have a bunch of smaller organization doing advanced administration who cannot do it as optimally as a larger company who can scale the administration costs.
These hacks wouldn't matter... (Score:5, Interesting)
Re:if you can't beat them (Score:5, Interesting)
Why anybody would wanna steal Medicaid ids is beyond me. To qualify for Medicaid you have to be poor. No way you'll be able to identity theft up a Gold Card with that info. If they weren't so broke they couldn't pay attention, they couldn't get Medicaid.