Forgot your password?
typodupeerror
Crime Privacy Security News IT Your Rights Online

Medicaid Hacked: Over 181,000 Records and 25,000 SSNs Stolen 181

Posted by timothy
from the those-damn-corporations dept.
An anonymous reader writes "The Utah Department of Health has been hacked. 181,604 Medicaid and CHIP recipients have had their personal information stolen. 25,096 had their Social Security numbers (SSNs) compromised. The agency is cooperating with law enforcement in a criminal investigation. The hackers, who are believed to be located in Eastern Europe, breached the server in question on March 30, 2012."
This discussion has been archived. No new comments can be posted.

Medicaid Hacked: Over 181,000 Records and 25,000 SSNs Stolen

Comments Filter:
  • by gmanterry (1141623) on Sunday April 08, 2012 @07:04PM (#39615011) Journal

    Medicaid is for poor people. stealing their identity won't gain them access to much money. However the SS numbers might be useful for illegal alien ID cards.

    • Re: (Score:3, Insightful)

      by c0lo (1497653)

      Medicaid is for poor people.

      TFA quotes:

      25,096 appear had their Social Security numbers (SSNs) compromised

      ... many of them feel violated

      “But we also hope they understand we are doing everything we can to protect them from further harm.”

      Poor people... have their SSN compromised, feeling violated (bordering to "raped" in one meaning of the term) and asked for understanding with promises of "best effort" towards a better future.
      However... are the East European hackers the primary cause of their situation?

    • by Whorhay (1319089)
      It may not give access to much in the way of immediate cash funds. But like any random SSN they can be used in other frauds. Maybe on a one for one basis they aren't as valuable to a criminal as say my SSN would be, but they got away with more than 25 thousand of them. So even if they only get a few hundred bucks each worth of fraudulant activity out of each it'll add up. So now those 25 thousand people who were probably already having a rough time of it have the added excitement of probably being the victi
    • Well duh, my new crime-as-a-cloud service can now offer a feature that screens these people from your card lists, at only half the cost of the traditional merchant-account leasing service.

  • by Eightbitgnosis (1571875) on Sunday April 08, 2012 @07:05PM (#39615023) Homepage
    Survey says..............

    No one!
    • by Kawahee (901497) on Sunday April 08, 2012 @07:07PM (#39615027) Homepage Journal
      The cynic in me says the hackers will be held responsible.
      • by c0lo (1497653) on Sunday April 08, 2012 @08:22PM (#39615465)

        The cynic in me says the hackers will be held responsible.

        Seconded.

        FTFA adjusted with a link

        Director Michael Hales said in a statement. “But we also hope they understand we are doing everything we can [despair.com] to protect them from further harm.”

      • As they should be (Score:5, Interesting)

        by Sycraft-fu (314770) on Sunday April 08, 2012 @08:29PM (#39615507)

        You should not hack in to systems you don't have permission to access. It is illegal, for the same reason it is illegal to break in to a house you don't have permission to access. It doesn't matter if you are capable of doing it, you shouldn't do it. Thus if you do, expect to be held criminally accountable.

        This idea of blame the victims don't blame the criminals that so many on Slashdot have is stupid. Fine, I'll be ok with that so long as you are ok with it applying to the real world. You are ok with me being legally allowed to break in to your house, so long as I am able.

        Thing is, I'd be very able. Your physical security is shit, as is everyone's. Individuals never bother with good security. You'll have a regular lock that is vulnerable to bumping, ice picking, and so on. That aside a shotgun with door breaching rounds will take it off the hinges no problem since you have no reinforcement on them. Your walls are probably made of drywall, wood framing and stucco, so a Sawzall can easily take care of that.

        You don't choose to spend the time money or effort to secure your house further... Nor should you have to. Yet you think that if people don't have perfect computer security, well someone should be allowed in.

        Also this is funny because show me this perfect security. Kernel.org was hacked, gnu.org was hacked, GitHub was hacked, BIND was hacked, and so on. So it isn't like just being open source and all that makes you immune. It seems that security holes happen, and that is just life.

        • by Kawahee (901497)
          I am not sure that it's illegal to "hack in to systems you don't have permission to access" in all parts of the world. For this reason, I think the onus falls to the implementer to make sure that any system they develop and make available on the public internet is secure.
        • by Anonymous Coward on Sunday April 08, 2012 @08:51PM (#39615623)

          "Your physical security is shit, as is everyone's. "

          No one is arguing that hackers who hack into a system and subsequently either damage the system or leak confidential information from the system out onto the rest of the Internet (or communicate that information to people other than employees of the company to report it to them to fix it) shouldn't be held accountable. They absolutely should.

          But there is a huge difference between a residential house (my computer with my info on it) and a bank (a service provider). When I go to a bank, I don't see them leaving unguarded money out in the open for anyone to easily grab. No, they have safes, they have bullet proof glass, they have cameras, they have security guards, they have security switches to alert cops of a robber, they have all sorts of security. Even liquor stores are careful with money, having those huge armored vehicles transporting money from place to place. We expect and require them to take measures to ensure your money is safe.

          A service provider is like a bank of information, they should also hold some responsibility and accountability if they store your personal information in such a way that it can easily get hacked into.

          and corporations are part of the problem as well. Historically, white hat hackers used to report security vulnerabilities to corporations long before leaking them on the Internet. A while back I remember someone reported a 2wire vulnerability to 2Wire and they did absolutely nothing about it for six whole months before the person who discovered the vulnerability communicated it over the Internet and 2wire finally fixed it with a firmware upgrade (due to public pressure). Many times when people communicate vulnerabilities to corporations privately they simply ignore them. Or they sue. So now people no longer put up with that and they simply leak the information onto the Internet. Which, in some ways, is even better than allowing this information to be kept secret and discovered by black hat hackers who will buy and sell it in the black market and use it nefariously against unsuspecting victims. because by the time a white hat hacker who doesn't profit as much from discovering the vulnerabilities discovers them, chances are black hat hackers who stand to profit (and are hence far more determined to discover these vulnerabilities) already have. Black hat hackers who know very well how to get away with what they do. So in some ways it's better that the vulnerabilities and potential victims be made aware of the vulnerabilities early so they can respond before something happens.

          IIRC, Google will even pay a white hat hacker to privately report a vulnerability in its system so they can fix it. That's how security should work. We're not just criticizing that these corporations make mistakes and allow vulnerabilities to exist in their systems. We're also criticizing their response when a vulnerability is privately reported. That needs to change.

        • Banks don't need security once we get over this "blame the victim" mentality.

          After all, I'm sure we all store thousands of social security numbers at home.

          • by TheLink (130905)

            After all, I'm sure we all store thousands of social security numbers at home.

            The hackers might. And maybe even at your home ;).

          • After all, I'm sure we all store thousands of social security numbers at home.

            well, now someone does.

            • by c0lo (1497653)

              After all, I'm sure we all store thousands of social security numbers at home.

              well, now someone does.

              I bet the security of the system on which they store the SSN-es is better than the Utah Department of Health's one.

        • Re:As they should be (Score:5, Informative)

          by arth1 (260657) on Sunday April 08, 2012 @09:40PM (#39615847) Homepage Journal

          This idea of blame the victims don't blame the criminals that so many on Slashdot have is stupid.

          I don't see this much. I see a lot of blaming the criminals and those who made it easy for the criminals.
          That B is responsible too doesn't take any blame away from A. Just like if your handyman forgets to lock the door, it doesn't make the burglar any less responsible; it only adds blame to the handyman.

          Remember, the victim here isn't the Utah Department of Health, it's the users of the services. The Utah Department of Health gets some blame too, not instead.
          If any of the victims are to blame for anything, it's voting for a system that puts everything to the lowest bidder, making shit like this common occurrence and impossible to safeguard against.

        • This idea of blame the victims don't blame the criminals that so many on Slashdot have is stupid. Fine, I'll be ok with that so long as you are ok with it applying to the real world. You are ok with me being legally allowed to break in to your house, so long as I am able.

          "Waahh waahhh I left my front door unlocked and someone stole my valuables!"

          Thing is, I'd be very able. Your physical security is shit, as is everyone's

          If I kept enough information to hijack hundres of thousans of identities in my home, I would beef up my security.

          Also this is funny because show me this perfect security

          Who said anything about perfect security? The problem is that most attacks exploit the same security problems that have been exploited over and over and which people have been warned about over and over again. The fact that techniques for securing information exist and go unused is the problem here; there are crim

        • Kernel.org was hacked, gnu.org was hacked, GitHub was hacked, BIND was hacked, and so on.

          And in all of those cases, the victim was considered responsible, having done a dumb thing.

          I don't think anyone is saying criminals are responsible for their crimes; it's that if our government knowing puts data in a situation where it's easily compromised, they share blame too.

          If government were to legalize drunk driving and then people got killed as a result of drunk drivers, yes, the drunk drivers would bear b

      • by jamstar7 (694492)
        Yes, the hackers will be held responsible. But will they be caught? Track record says 'no'. Unless they do something seriously stupid.
  • by Anonymous Coward on Sunday April 08, 2012 @07:12PM (#39615053)

    We have to stop pretending that the SSN is something only the owner knows. It cannot be an identifier and a password at the same time. It's because of our retarded system that SSNs are such a juicy theft target. Other countries have similar personal identification numbers and no rampant "identity theft" problems like we have here in the US.

    Simply put, someone should not be able to pretend they are you just by knowing your SSN and name and date of birth. All should be public info and not security questions. Someone can't go in and get a loan just because they found my name in the phone book, it should be the same with the SSN. Leave it be an identifier and only an identifier. The cat's out of the bag with the secret part.

    • by erroneus (253617)

      By owner, do you mean "government"? As the person identified by such a number, I am powerless to determine the use of that number and meanwhile, to live a "normal life" that doesn't involve putting everything I can carry into a shopping cart and sleeping on park benches, I have to surrender this "secret" to every business and government agency everywhere. And we were "told" the social security number was just for tracking your social security account. Instead it's also your Tax ID (yeah, I know you can r

      • by Anonymous Coward

        Of the card or of you?

      • by kqs (1038910) on Sunday April 08, 2012 @07:48PM (#39615263)

        I have no idea what you mean by "owner".

        The government assigns them. Each number is supposed to uniquely identify a citizen and is used mostly for SS (and a few other governmental uses). So far so good; the government assigns them and (apparently) uses them appropriately as a unique ID number.

        Now we have dozens of private businesses using them as a password. Fine, I guess it's a free country. But somehow, if someone finds out my number and uses it to open a loan in my name, *I'm* liable for the loan. It's my phone that rings with creditors and my credit score which is damaged. It seems to me that the problem is these corporations which use these numbers as passwords but disclaim liability for fraud. Make it clear that financial institutions have the liability for bad loans they originate, that bad credit reports MUST be cleared unless the financial institution can prove they are true, and that there are very strict penalties for companies which abuse these rules, and the "identity theft" problem will vanish very quickly.

        • by c0lo (1497653)

          I have no idea what you mean by "owner".

          1. However can sell or donate it.

          2. Or, not exactly owning, but here's a quote from the "future history":

          He who can destroy a thing, controls a thing

          Following the first definition: whatever entity you used your SSN number with... (employers, tax office, your local pharmacy and possible big-pharma, the Utah Department of Health).
          Following the second definition: hackers in East Europe, no-such-agency's data center in Utah, men-in-black, etc

        • I agree! If a bank or company gives someone a loan based on a name, birthday, and SSN, then it is the bank's fault. Because they did not take steps to properly verify who they gave money to, it is the bank's fault. I was not involved in anyway. Any damage to my credit rating and the time I spent cleaning things up, the bank must reimburse me for.

          I have been notified twice that my info was stolen from university servers, so they gave me one year free credit monitoring each time. The info is still valid after

          • I had this friend once, the real tinfoil hat kind of friend/acquaintance who:
            - refused to use the internet
            - lined his house in chicken wire/lead drywall
            -I stopped talking to when he called me the enemy for working for a wireless internet company

            He spoke of a day when we would all have the choice to take a national ID with a smart card and register our finger prints or be denied all government services.

            errr..
      • by swalve (1980968)
        Just use a tax ID number for business purposes.
    • by TheLink (130905)
      Actually you have this problem because people and organizations call it and treat it as "identity theft".

      If someone is using your SSN to pretend to be you, because it's considered "identity theft" it becomes mainly YOUR problem.

      Whereas if it's considered fraud, then it's no longer really your problem but that of the Bank or other Organization that's been tricked.

      Then they'd have more motivation to not be tricked so easily - and they are the ones who shouldn't be tricked so easily.

      Whereas you have no reasona
    • by sjames (1099)

      We could get there a lot faster if we stopped recognizing identity theft as a crime. The crime being committed is NOT identity theft against individuals, it is the crime of fraud against the banks followed by the crimes of fraud and extortion by the banks against the individuals.

      Ethically, it should not matter one bit that BozoBank thinks they loaned me $1,000,000. What should matter is that they have no evidence whatsoever that I am the person they foolishly handed a wad of cash to without adequate verific

  • by Beeftopia (1846720) on Sunday April 08, 2012 @07:14PM (#39615071)

    There ought to be a security-related certification, along the lines of CMMI Level X, for websites that want to put sensitive information online. A group goes in and audits the network and the office, does penetration testing, and gives you a rating based on corporate practices, user knowledge and potential and actual weaknesses.

    Before these sites feel like they can put up my social security number and health records behind passwords like admin/admin, or allow contractors to download entire social security databases and leave them on USB drives or laptops which can be/are stolen, they should first obtain some minimum level of security-related competence certification.

    • by Anonymous Coward

      There ought to be a security-related certification, along the lines of CMMI Level X, for websites that want to put sensitive information online. A group goes in and audits the network and the office, does penetration testing, and gives you a rating based on corporate practices, user knowledge and potential and actual weaknesses.

      Before these sites feel like they can put up my social security number and health records behind passwords like admin/admin, or allow contractors to download entire social security databases and leave them on USB drives or laptops which can be/are stolen, they should first obtain some minimum level of security-related competence certification.

      There is. FISMA.

  • This brings up an interesting question as to whether the advantages of storing massive amounts of personal data on public facing servers (or any server at all, res cent reports have me convinced that if anybody including governments, foreign hackers, or anyone else that wants the data bad enough will be able to find a way to get it) creates large enough benefits to balance the damages caused by breaches like this.
    • The vendors push the failure risk onto the consumer. X number of failures/compromises is going to be miserable for the individual, but the corporation is able to keep making a net profit from it. Until the cost of failure becomes significant for the corporation, outweighing the benefits from using the online system, they'll stay with their current business model.

      This is true of any consumer product.

  • Headlines? (Score:5, Insightful)

    by Shoten (260439) on Sunday April 08, 2012 @07:29PM (#39615145)

    Okay, Slashdot seems to be getting worse and worse about distorting things in the titles of the topics. "Medicaid Hacked" is NOT what happened here. Not even close. And when the first line of the topic's body is "The Utah Department of Health has been hacked," then you can't even excuse the poster as having been a little confused; it's flagrant tabloid-like sensationalism. Cut it out, already.

    • by JSG (82708)

      Note the name of the submitter of the article and then ignore in future. You'll find /. much more fun then.

    • As Medicaid is a program wholly managed by the states, it's not unreasonable to say that Medicaid was hacked. It's a subset of the whole Medicaid program, sure, but it's also the largest meaningful subunit of Medicaid that can be hacked.
      • by Shoten (260439)

        The people's social security numbers were compromised...should we say that Social Security got hacked? Hey, when Global Payments got breached, does that mean that Visa and MasterCard both got hacked? No. Because when you refer to just "Visa," you refer to the organization that underpins Visa cards...and saying that they got hacked refers to an organization that is entirely different and separate. The fact that some of the people who got hacked were on Medicaid (the others were on CHIP) does not mean tha

        • For the record, Medicaid is jointly funded by federal and state governments and COMPLETELY run by the states. The federal government has no role in administering the program, and only sets guidelines for eligibility and coverage. There is no overarching federal Medicaid administration system to be hacked.

          I didn't RTFA, and was under the impression that the Utah Dept of Health was breached but it only affected Medicaid recipients - which makes it the largest meaningful unit of Medicaid that can be hacked.
  • Because de-facto its not. So we shouldnt assume that its secret and never use it as means of authentication. About as secret as your zip code.

    In other words, if a bank gives out a load based on SSN alone, let _them_ hold the bag on it.

    How long do you think SSN theft will remain profitable after we do that?

  • Password: Admin

  • by GameboyRMH (1153867) <gameboyrmh@gmail. c o m> on Sunday April 08, 2012 @08:06PM (#39615363) Journal

    I wonder if at some point there will be a breach so bad that certain critical records will be moved to airgapped systems and never go back, just because of the horrible memory of that disaster.

    • by Anonymous Coward

      "Oh the humanity" -- what happened with the Hindenberg was /not/ that airships were fixed, but that they were abandoned.

      Let's try for a different kind of moment, perhaps? Although I do like the poetry of an acrobat leaping from the inferno.

      • what happened with the Hindenberg was /not/ that airships were fixed, but that they were abandoned.

        Let's try for a different kind of moment, perhaps?

        No, let us not. Abandoning the use of centralized databases is the only fix - airgapping just protects against remote attacks. It does not protect against abuse by insiders, be it in violation of the rules, or the creation of new rules that encourages official misuse of the data.

        The solution is to decentralize. Let everyone hold their own data. Be it on a portable device like a pda/smartphone or on some sort of dropbox-like system with account-specific encryption. The idea being to maintain as much use

        • by sosume (680416)

          No, thhe solution io much easier. Just block access to all IP addresses not registered to Utah. For the few users outside the state, exceptions can be set up.

    • You mean like an event that happens to those in power to actually care? Because last I checked, we've had plenty of "Hindenburg moments". Just none of them mattered unless you were a victim.

    • I wonder if at some point there will be a breach so bad that certain critical records will be moved to airgapped systems and never go back, just because of the horrible memory of that disaster.

      I wonder if at some point there will be a breach so bad that every single identity will be stolen, and there's nothing left to protect.

  • by justcauseisjustthat (1150803) on Sunday April 08, 2012 @08:36PM (#39615555)
    These hacks and all hacks that steal information but no money, etc would be made pointless if the banking system and credit bureaus, had better validation requirements!!! But instead they want to defraud their customers and by selling credit and identity protection.
    • by JDS13 (1236704)
      People qualify for Medicaid because they can't afford to pay for their own medical care and haven't arranged for any insurance or other third party payment... so perhaps these hacks won't matter because these Social Security numbers aren't worth anything.
      • Perhaps you don't understand how easy credit is to get in the United States.

        In my 20s I had income of under $13k, but credit lines totaling $110k. My mother in her 70s and income under $10k got a $15k line on a credit card.

        Now imagine the damage an identity thief would do to a person making under $20k, by simply getting 4x cards $5k apiece. Or imagine the long term con, where initially the thief pays off the debt to build better credit so they can steal larger amounts.
        • The easiest way to grow your credit with little income is the shell game.

          Get one credit card to make purchases, then second to make monthly payments on the first, and then a third to make payments on the second, and so on and so on....
  • What exactly are they going to do with these? Identity theft? I'd be willing to bet that these people don't have good enough credit, assets, etc. to make it worthwhile.
    • by AHuxley (892839)
      The digital worlds version of subprime? You roll a lot of "new" data into a big file and sell it in bulk as a US identity pack.
      Its then used, sorted, sold on by persons or groups interested in unique or state wide data.
  • http://yro.slashdot.org/story/12/04/08/1850249/innocent-or-not-the-nsa-is-watching-you [slashdot.org]

    Could be related, considering they're in the same state. Maybe the attackers wanted to hit home and hit hard.

  • ...there has been a run on illicit payday loans! Investigators believe there may be a link to the Medicaid breach.
  • Why do I say Big Deal, medical records aren't safe in any kind of form or capacity. I've have 5 different entire sets of medical results lost, misplaced and never found. I've had medical records lost in shipment from one doctor to another. So whats the big deal? The medical industry doesn't give a rats ass to keeping your data safe, losing one medical result is bad enough, losing two is unacceptable and losing 5 is just beyond insane. If doctors, hospitals and front desk personal really cared what h
  • It wasn't hackers from another country. It was just a test run of the new NSA Utah Data Center [slashdot.org]. The Utah Department of Health just happened to be the nearest available guinea pig from which to steal sensitive personal data on thousands of Americans. It did what it was supposed to do.

    I know it sounds crazy, but remember: You can't spell insane without the NSA.
  • Those Hackers should now have a lot of information about me. I was deported into homelessness in 2008 when two other ladies decided I wasn't responsive. Amid threats of Hospitalization, I signed back onto Medicaid. Haven't been off of it since. If you wonder what the State Insane Asylum is like, it is essentially a prison where you can't see the stars ever, and the most important thing is a policy against yelling. Papers and personal items are routinely stolen from their admits. I now live in a nursin
  • Mini virtual server. Seriously, this will sound like a weird idea, but rather than having a webserver that connects to a DB which requires secured code, how about an instance level virtual server? Basically, when you log-in, you create a virtual server, with your personal information. Nothing else. For this to work, it requires the ability to spin up quickly virtual servers, OR an 'instances' of a DB with its copy of data, but only with the data tied to that login or key.

    Also, it is long past time to push
  • Is it wrong that my first thought-- after "Oh good, it's not HERE." --was to wonder why the hell someone would hack the medicaid records for Utah? I mean, really. Utah?

  • by eyenot (102141)

    We need this to be universal !

  • They're on Medicaid - they get their money from people who actually work for it. Most probably have awful credit as well.

We warn the reader in advance that the proof presented here depends on a clever but highly unmotivated trick. -- Howard Anton, "Elementary Linear Algebra"

Working...