Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Data Storage Medicine Privacy Security IT

Six Missing HDDs Contain Health Information of Nearly a Million Patients (corporate-ir.net) 87

Lucas123 writes: Health insurer Centene Corp. revealed that it is looking for six HDDs with information on 950,000 customers that went missing during a data project that was using laboratory results to improve the health outcomes of patients. The drives not only contain sensitive personal identification information, such as addresses, dates of birth and social security numbers, but they also contain health information. "While we don't believe this information has been used inappropriately," said Michael Neidorff, CEO of Centene.
This discussion has been archived. No new comments can be posted.

Six Missing HDDs Contain Health Information of Nearly a Million Patients

Comments Filter:
  • Editing (Score:5, Funny)

    by Anonymous Coward on Wednesday January 27, 2016 @02:28AM (#51380155)

    "While I usually praise the high standard of editing," said readers of Slashdot everywhere.

    • Re: (Score:2, Insightful)

      by GroeFaZ ( 850443 )
      Good thing /. has editors, otherwise every shmuck could post anything he wants, without regard to basics like complete sentences.
  • If you compile information into huge databases, this is what you can expect. Personally, I want all my medical records on paper charts stored in my doctor's office. Unless you agree to have your information published on the internet, don't accept electronic records. I assume that in this specific case the ssd's were lost. Even if they end up on eBay, the new owners will most likely clear the old data.

    • Killing People (Score:5, Insightful)

      by Etherwalk ( 681268 ) on Wednesday January 27, 2016 @03:02AM (#51380271)

      If you compile information into huge databases, this is what you can expect. Personally, I want all my medical records on paper charts stored in my doctor's office. Unless you agree to have your information published on the internet, don't accept electronic records. I assume that in this specific case the ssd's were lost. Even if they end up on eBay, the new owners will most likely clear the old data.

      That policy choice would kill a lot of people because it would prevent data mining to learn how to generate better health outcomes.

      Trade offs.

      • by wings ( 27310 )

        If you compile information into huge databases, this is what you can expect. Personally, I want all my medical records on paper charts stored in my doctor's office. Unless you agree to have your information published on the internet, don't accept electronic records. I assume that in this specific case the ssd's were lost. Even if they end up on eBay, the new owners will most likely clear the old data.

        That policy choice would kill a lot of people because it would prevent data mining to learn how to generat

    • You know that this would not have been a problem, had they had to store all the data on 5 1/4" floppy disks, right? The backup alarm on the semi truck would have been a dead giveaway...

  • by aglider ( 2435074 ) on Wednesday January 27, 2016 @02:41AM (#51380201) Homepage
    Backup, encryption
    • Comment removed based on user account deletion
      • by Anonymous Coward

        The sad thing is that every PC certified for Windows post 8 has a TPM and facilities for hardware encryption onboard. Enable BitLocker, and the OS platter is protected. From there, it is simple to BitLocker encrypt volumes, either externals, or others. Macs have FileVault2.

        Even if the drives were on a NAS, my el cheapo Synology DS116j (single drive model, whose purpose in life is to be a rsync target for my other NAS for backups), offers eCryptFS encryption.)

        External HDDs in general can be well protecte

  • by Anonymous Coward

    Have you checked Hillary's server?

  • by Anonymous Coward

    There are practically no real-world consequences for HIPAA violations like this. [propublica.org]

    Everybody will be fine. Except the patients. And who the fuck cares about those jerk-offs anyway?

  • I think shipping any sensitive data unencrypted should be a punishable offence even when the data is not stolen. Similar to driving around without your seatbelt. Its irresponsible behaviour that is easily prevented and comes from being lazy

    • It's very much so punishable. Health insurer Centene Corp can expect a fine of several million dollars. Just last year two companies settled for a total of $4.8 million and this just affected less than 7000 people. This company exposed 950,000 Source: I work in HIPAA compliance
      • If you work in HIPAA compliance, you might want to read over the actual document [hhs.gov] again. Encryption is not "Required", but only "Addressable". This is followed up by "reasonable and appropriate” for Addressable items, including documentation on why the Covered Entity didn't feel the Addressable was needed. This [hhs.gov] is from a governmental site, and the answer is "no". If this data was supposed to always stay in-house, then per 45 CFR 164.312(a)(2)(iv) and (e)(2)(ii) that fact alone is probably good enoug
        • You pretty much answered yourself. I guarantee you they've never performed a risk assessment. I deal with these types of companies on a daily basis. There are so many healthcare companies and providers out there that don't even follow basic minimum security practices. The stuff that pops up in the news is nothing compared to some of the shit I see constantly. But hey, it keeps me in business, so what's there to complain about right?
  • by Anonymous Coward

    If they are encrypted no worries. If they are not encrypted the board should each be given jail time 5 year minimum

  • by l0n3s0m3phr34k ( 2613107 ) on Wednesday January 27, 2016 @04:29AM (#51380469)
    Some IT guy took the drives home, wiped them, and is now using them in his home file server, or just straight-up sold them on Ebay. This happens all the time, I've seen it happen at every company I've worked for over the past 20 years. TFA has little actual information (and neither does the Reuters write up)...were they shipped some place? Were these in a server, laptops, desktops?
  • They're professionals. The drives will be encrypted, right? Right?
  • Have they never heard of HIPPA? I worked for about 14 months doing exome sequencing for the Million Man thing at the VA - or at a contractor to the VA. All the external drives were encrypted with 16 digit pins. And after so many tries they'd lock up completely. So no brute forcing. The drives were made by Apricorn and carried FIPS 140.2 certifcations.
    • Have they never heard of HIPPA?

      Probably. They probably also determined that the cost of the fine is less than the cost of compliance.

  • One of the for-profit health insurance companies who just raked in a huge windfall as a result of the largest government-to-corporate handout in the history of government [wikipedia.org] were too drunk on their power to bother with data security.

    Yep, absolutely nobody is surprised by this in the least. Turns out hookers and blow don't manage this stuff very well on their own.
    • yeah I know. I'm aware of several policies that data on external drives must be encrypted. And data sent via common carrier must also be encrypted. And signed for - life cycle management - including erasure and limited access documentation.

      Our data center guys (not even handling PHI - just IP) have to use these USB drives that contain push-button PIN passwords right on the device itself. Data can't even leave the room without this level of security.

      It is easy these days. You just need to do it.

      • It is easy these days. You just need to do it.

        Yeah, but it takes time. And time costs money. And the insurance companies are insured against this kind of stupidity by other insurance companies, so they just let the chips fall where they may ... and let the party keep rolling. It's not like there will be any consequences for the insurance company, as they now have a guaranteed customer base for the rest of their lives.

        • oh right - I forgot about that angle. What is the exposure to fines vs cost of doing it right? Gosh wasn't that a /. topic a few weeks ago - can't sue if there aren't any actual damages from identity theft. Just pay for monitoring and all is right with the world.

          The ol' bean counter clause.

          hmm... remember those companies that were experimenting with publishing all salaries of employees for full (internal) view? What if all of our personal details were just out in the open? It would reduce the value of

          • What if all of our personal details were just out in the open? It would reduce the value of it.

            Even further back there was a story here about someone who was intentionally putting all his most trivial information into very public websites. I don't recall all the details now, but it may have been something he was doing do counter the fact that he was being targeted for surveillance for no particularly good reason so he figured he could do exactly that - reduce the value of the data.

            Being as the slashdot "search" function continues to be the least useful search function anywhere, I have no good w

  • Why is a person's SSN and date of birth 'sensitive information.'

    Now, I know that the Credit Industry wants to be able to use this information to obligate us to assume responsibility for any debt they might choose to inflict on us.

    But how is it in our benefit for this to be Secret Information? The Social Security Administration was not intended to issue 'secret numbers' to people.

    The Government should publish all SSNs and in effect disallow the Credit Agencies from using this information against us. It wou

  • by AndyKron ( 937105 ) on Wednesday January 27, 2016 @09:22AM (#51381339)
    Health insurer Centene Corp should be sued out of existence.
  • The HIPAA and HITECH Acts' Security Rule require hard drives containing personal health information (PHI) to be encrypted at rest.

    Why weren't they?

    Losing an encrypted drive is not a reportable incident. Losing one with 950,000 records in cleartext results in you getting your name up on the Wall of Shame at HHS' Office of Civil Rights (OCR) along with penalties of $100 to $50,000 _per_record_ up to a maximum of $1.5 million.

    In this case, since Centene Corp. is guilty of "Willful Neglect", the penalty sho

  • Get Echo on the job, she'll find them in no time. Unless Alpha took them, then you're all screwed.
  • "While we don't believe this information has been used inappropriately," said Michael Neidorff, CEO of Centene.

    That is the absolute lamest "don't worry" defense I've heard in a decade, hands-down.

    So, what, you know an employee took it and wants hush money? No? Then how can you even claim data safety? OMFG.

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...