Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

SAIC Loses Data of 4.9 Million Patients

Unknown Lamer posted about 3 years ago | from the keep-them-tapes-safe dept.

Privacy 182

An anonymous reader writes "Government contractor SAIC just can't seem to get a break. Still fresh off of the Citytime scandal, they've now had a data breach in which backup tapes holding 4.9 million personal health records were stolen from an employee's car. To add insult to injury, evidently the tapes were not encrypted either: 'Tricare did not indicate whether SAIC encrypted the information on the stolen tapes, but Raley said, "It's very hard to encrypt a backup tape."'"

Sorry! There are no comments related to the filter you selected.

holy crap, what idiots (1)

chiBrian (2089894) | about 3 years ago | (#37602194)

There are people who let their data out of the data center in plaintext?

Re:holy crap, what idiots (1)

tnk1 (899206) | about 3 years ago | (#37602476)

Yeah, but they usually go to places like Iron Mountain via more or less secure transport for offsite storage. Why this guy actually had those tapes in his car is an entirely different issue, and probably one where convenience won out over proper procedure. Which is assuming that SAIC actually had a procedure, of course.

This does look like legitimate grounds for potential lawsuits: the fact that patient data needs to be secure is hardly an obscure set of laws and requirements.

As for the "require knowledge of and access to specific hardware and software and knowledge of the system and data structure", I suppose that's an issue with all data... but would it really be that hard to get access to that knowledge if someone really wanted that information?

Re:holy crap, what idiots (2)

3nails4aFalseProphet (248128) | about 3 years ago | (#37602834)

For some organizations, it is a weighted risk. Which would be worse: some random car thief thinking he stole somebody's 8-track collection, or not being able to find/remember the right password to restore the data in a legit DR situation?

Although, even with my defending them above I have to ask... WTF was going on with tapes left alone in an employee's car? Most places use a data storage company to transfer and store tapes.

Also, Axway's Raley was either misquoted or she's an idiot. What is Tricare using that makes tape encryption so difficult? Usually the difference between encrypting and not is just a checking a box and entering a password. May slow down an already tedious process of backing up/restoring, but definitely isn't difficult to implement.

orly? (0)

1_brown_mouse (160511) | about 3 years ago | (#37602204)

srsly?

/now I hate myself as much as you hate me for this post.

LOL (4, Informative)

afidel (530433) | about 3 years ago | (#37602216)

Hard to encrypt tape?!? Every LTO5 and most LTO4 drives support hardware AES encryption!

Re:LOL (0)

shawn(at)fsu (447153) | about 3 years ago | (#37602300)

I can't find in the second link where it says it's very hard to encrypt backup tapes. Did I miss something?

Re:LOL (1)

shawn(at)fsu (447153) | about 3 years ago | (#37602326)

Never mind that was stated in the first link.

And they all support rot256 (2)

davidwr (791652) | about 3 years ago | (#37602674)

rot256 is for arbitrary 8-bit binary data.

"rot256 - like rot13 but 19-20 times as much rot!"
- rejected slogan, rot256 working group

Re:LOL (1)

cjb658 (1235986) | about 3 years ago | (#37602730)

Maybe there's a patent for encrypting patents.

Re:LOL (1)

mlts (1038732) | about 3 years ago | (#37602792)

Bingo. For basic encryption, I logged onto the tape silo, typed in a passphrase, enabled encryption, and called it done. Transferring the key via SPIN/SPOUT to the drives does the rest.

If I wanted better encryption, I can use a key management system, changing out keys for written tapes, but yet keeping them on the appliance for reading. Of course, a backup of the keys are made and stored.

Even without LTO's built in encryption, every modern backup program supports some type of AES level software encryption. NetBackup, TSM, Networker, you name it. It usually consists of a checkbox and either creating an encryption key, or typing in a password.

Tape encryption isn't hard by any means.

Re:LOL (1)

emayar (1790294) | about 3 years ago | (#37602922)

Exactly! Encrypting tape backups is required by HIPAA anymore.

Quote not attributed to SAIC (1)

Johnny Mnemonic (176043) | about 3 years ago | (#37603142)

From TFA:

Raley is "director of healthcare solutions at IT integration and security company Axway" and the quote "very hard to encrypt tape" is attributed to him, not SAIC.

SAIC has not said if the data was encrypted on the tapes or not.

If you use Axway as a vendor, you should fire them.

Very hard to encrypt a backup tape? (1)

grimmjeeper (2301232) | about 3 years ago | (#37602226)

Seriously?

What kind of knuckle dragging moron can't figure out how to encrypt the data stream they're backing up?

Re:Very hard to encrypt a backup tape? (2)

Raistlin77 (754120) | about 3 years ago | (#37602608)

Seems to be that it was an ignorant attempt at sarcasm, as in "How do you encrypt plastic?" Clearly he's the kind of knuckle dragging moron that shouldn't be making statements regarding the topic at hand.

Re:Very hard to encrypt a backup tape? (2)

Synerg1y (2169962) | about 3 years ago | (#37602744)

Lol, this guy took the tapes out to his CAR, would you feel ok walking around with your companies database in your briefcase?

I wouldn't, I'd VPN in to grab it, not carry it, and I'd make sure I'm using a hardened windows to do it too. That kind of liability can really put a kink in somebody's day.

This fine gentleman though, not only removed the tapes, he put them in his car.

Now with that thought pattern do you REALLY expect him to know about encrypting tapes?

Some people just shouldn't be allowed to be around computers, but are because for reasons that are not fully revealed to me some people think they can work in IT without actually knowing much about computers. I'm just adding this post as an extra gtfo of IT to these people.

If my record was among those, I'd prolly be looking into a class action lawsuit rather than making this post.

Re:Very hard to encrypt a backup tape? (1)

dave562 (969951) | about 3 years ago | (#37603134)

Lol, this guy took the tapes out to his CAR, would you feel ok walking around with your companies database in your briefcase?

I have to take drives to and from the data center with confidential and sensitive data on them. They are TrueCrypted with strong pass phrases, but just having the data in my possession makes me hesitant to go anywhere other than directly to/from the data center and office. Stop at Starbucks? No way! What if someone steals the drive during the 5 minutes it takes me to get my coffee!?!

On another note, have these people never heard of Iron Mountain? Those guys are there for a reason, and that reason is not because it is hard to transport a backup tape from point A to point B. They are there to manage to the risk. When was the last time we read a story, "Iron Mountain lost backup tapes uber confidential data."??

Re:Very hard to encrypt a backup tape? (3, Informative)

Bucky24 (1943328) | about 3 years ago | (#37603400)

When was the last time we read a story, "Iron Mountain lost backup tapes uber confidential data."??

Every time that happens they kill all the witnesses. So no one ever knows...

Re:Very hard to encrypt a backup tape? (1)

Martin Blank (154261) | about 3 years ago | (#37603424)

When was the last time we read a story, "Iron Mountain lost backup tapes uber confidential data."??

Based on a quick search, at least as recently as 2009. And then 2008 before that. And 2007, 2006, and 2005 (twice) before that.

http://datalossdb.org/organizations/128-iron-mountain [datalossdb.org]

We use Iron Mountain and they're generally good (and the local warehouse is only a couple of miles away), but it's still a good idea to encrypt any tape that leaves the facility, whether or not it contains personal data. A system backup could provide information useful to someone who wants to gain access to a network, among other things.

Re:Very hard to encrypt a backup tape? (1)

Seedy2 (126078) | about 3 years ago | (#37603256)

Unfortunately there are id10ts out there (typically upper management) who once heard the phrase offsite backup from one of their golf buddies, and thought it meant "have the IT staff take the backup home with them, in case there's a fire". Continuing with some variation of: "Besides, if we need something restored they can get it back faster than iron mountain"

The hours I've argued...

Re:Very hard to encrypt a backup tape? (1)

seifried (12921) | about 3 years ago | (#37603440)

Well: Google says... [google.ca] "Iron Mountain has lost a backup tape belonging to GE Money with approximately 650,000 JC Penney customer records on it, and 150,000 of those records include customer social security numbers." Among others.

Re:Very hard to encrypt a backup tape? (1)

JonySuede (1908576) | about 3 years ago | (#37603270)

you'd VPN a few LTO5 tapes, wow, I would like to have such a nice internet connection....

Re:Very hard to encrypt a backup tape? (1)

Hatta (162192) | about 3 years ago | (#37603352)

Never understimate the bandwidth of a briefcase full of LTO tape. If it's encrypted, it should be absolutely no problem physically transporting the backups off site yourself.

Don't get me wrong, this guy is an idiot. But the fact that he had backup tapes on his person, in his car, is not evidence for that.

LTO can do it on the drive (1)

Colin Smith (2679) | about 3 years ago | (#37602238)

And most of the big vendors and even many free software systems support key management. So no, it isn't very difficult. You just have to give a shit.

very hard to encrypt (2)

Oxford_Comma_Lover (1679530) | about 3 years ago | (#37602242)

Yeah, encrypting a backup tape might take another hour or two to configure... not at all reasonable overhead for 4.9 million patient records

Espionage? (1)

N8F8 (4562) | about 3 years ago | (#37602250)

What's the probability that someone breaks into your car and steals computer tapes?

Re:Espionage? (3, Insightful)

Nkwe (604125) | about 3 years ago | (#37602284)

What's the probability that someone breaks into your car and steals computer tapes?

Maybe not as high as an employee selling the tapes and claiming that they were stolen.

Re:Espionage? (1)

N8F8 (4562) | about 3 years ago | (#37602304)

I had a similar thought. Highly suspicious.

Re:Espionage? (1)

shawn(at)fsu (447153) | about 3 years ago | (#37602378)

Why would an employee that has access to the data steal the tapes and not make copies.Esp with all the attention even saying the tapes were stolen would cause. "Never attribute to malice that which is adequately explained by stupidity"

Re:Espionage? (2)

BBTaeKwonDo (1540945) | about 3 years ago | (#37602658)

If a copy is found, it may be possible to determine when the copy was done and by whom. E.g., "Suzy's record was added on the 3rd and Bobby's was added on the 4th. This copy has Suzy's record but not Bobby's, so the copy must have been taken on the 3rd. Who did the backups on the 3rd?" By saying the tapes were stolen, it's much less suspicious if a copy is found.

Re:Espionage? (2)

dave562 (969951) | about 3 years ago | (#37603194)

Depending on the environment, it is very easy to detect a copy operation. Due to the sensitive of the data we deal with, we have controls in place. Every time a drive is attached / detached from the server it is recorded. Internet connectivity is prohibited. ACLs on the servers prevent mounting remote file systems, and even if they could be mounted, the mount would be logged.

In my environment, it would be much easier to "lose" a backup tape than to simply copy the records. Of course, that is not entirely true either. The tapes need to be signed out of the data center. Given that, "theft" is pretty much the only viable alternative.

Re:Espionage? (0)

Anonymous Coward | about 3 years ago | (#37602346)

What's the probability that someone breaks into your car and steals computer tapes?

Maybe not as high as an employee selling the tapes and claiming that they were stolen.

Who leaves their backup tapes in a car anyways? In every place I've worked the backup tapes go straight to the off-site warehouse.

Re:Espionage? (1)

jank1887 (815982) | about 3 years ago | (#37602828)

maybe theirs do too. via... a car.

Re:Espionage? (1)

compro01 (777531) | about 3 years ago | (#37603110)

The only car that this kind of backup tapes belong in is an armoured one.

Re:Espionage? (1)

mlts (1038732) | about 3 years ago | (#37602866)

Any firm that doesn't have a chain of custody of tapes is failing ITIL 101.

For example, on premises, tapes should be either sitting in the silo, inserted in a tape safe [1], or in the blue containers with a seal on them waiting for the IM van.

Not rocket science here. It is disappointing seeing organizations not follow this.

[1]: Businesses need an on premise tape safe. This is less for security (since the safe should be located fairly near the data center, and behind locked doors), but for protection in case of fire.

Re:Espionage? (1)

last-omega (1252232) | about 3 years ago | (#37603098)

Does anyone remember "Database Nation"?

Re:Espionage? (1)

hrvatska (790627) | about 3 years ago | (#37602356)

Yeah, I was thinking that either they're covering up some other incompetence or this was an inside job. I'm inclined to think that someone knew those tapes would be in that car at that time. But then there's Hanlon's razor, never attribute to malice that which is adequately explained by stupidity. And this was pretty stupid.

Re:Espionage? (0)

Anonymous Coward | about 3 years ago | (#37602374)

I dunno. Any students of Andrew Tanenbaum live nearby?

Re:Espionage? (0)

Anonymous Coward | about 3 years ago | (#37602398)

What's the probability that someone breaks into your car and steals computer tapes?

Given a small stretch of the imagination, probably pretty good... They were probably in a bag, backpack, or briefcase, which was just snatched because it was something easy to carry.

Re:Espionage? (1)

Lashat (1041424) | about 3 years ago | (#37602548)

More like cover up for a data breach/loss they have no clue how to fix right now. This limits their liability to "Yea, well he was fired. Won't happen again."

Re:Espionage? (1)

MozeeToby (1163751) | about 3 years ago | (#37602622)

I'd say there's 99.9% chance that the thief didn't know what they were grabbing. Break a window, grab any bags or boxes you see and get out of there is how most operate. Of course, there's a 0.01% chance that the thief knows exactly what they were going after and has been casing the mark for weeks waiting for the right opportunity. And then there's a the overlap of maybe 10% that didn't know when they grabbed it but are completely away of it by now, either through media reports (not that the media shouldn't report, it's the 0.01% chance that you need to worry about anyway) or by accessing the tapes directly. The question is if they have contacts with the right criminal elements to make a profit off the information.

10% overlap (1)

davidwr (791652) | about 3 years ago | (#37602774)

and rising by the hour

Re:Espionage? (1)

hedwards (940851) | about 3 years ago | (#37603358)

I suppose, but who's going to steal tapes without knowing what's on them? Without more information it's hard to say, but it's a lot less likely that a smash and grab is going to be triggered by seeing tapes, unless the thief has some idea what's on them.

Laptops OTOH, I totally see how those would be stolen by somebody not knowing what's on them.

Re:Espionage? (0)

Anonymous Coward | about 3 years ago | (#37602732)

What's the probability that someone breaks into your car and steals computer tapes?

I leave my backup tapes on the dashboard. In Florida. In July.

Re:Espionage? (1)

TClevenger (252206) | about 3 years ago | (#37602846)

What's the probability that someone breaks into your car and steals computer tapes?

If they're sitting in plain view? Somebody busted my window to steal less than a dollar in change that was sitting in the center console. And that was in a car that was already missing the radio because of a previous break-in.

My professional opinion (4, Informative)

subreality (157447) | about 3 years ago | (#37602280)

It's very hard to encrypt a backup tape.

I think I speak for everyone when I say: Fuck you, no it's not. I don't have any problems encrypting my personal backups even though I have nothing more private to protect than porn. You people are supposed to be professionals. Telling people their data is safe because it would require "special hardware and software" to read the tapes is pathetic. Get your shit together, sir.

Re:My professional opinion (1)

rk (6314) | about 3 years ago | (#37602348)

I worked on a networked backup and recovery system and in the 1.1 version of our product, we integrated encryption both of the data streams from remote systems, and of the data on the tape itself.

This was 10 years ago. If you bought recovery software from a competent vendor, it's not hard at all.

Re:My professional opinion (4, Insightful)

mlts (1038732) | about 3 years ago | (#37602894)

Nail. Head. Hit.

"special hardware and software" gets me...

A LTO-5 drive and access to GNU tar or cpio is an alt-tab away for a number of IT people.

Not encrypting == Willful Neglect violation (0)

Anonymous Coward | about 3 years ago | (#37603436)

HIPPA/HITECH *mandates* that any backup tapes that are taken out of a secured environment are to be encrypted. No exceptions.

Someone's car is not a "secured environment".

Each individual's data that was lost could be a separate violation... corrected violation at $10K each or uncorrected violation at $50K each. It's pretty tough to "correct" when PII data is already lost. Max cap on violations is $1.5 million per year.

SAIC ought to get the book thrown at them. A high-end encrypting LTO4/LTO5 tape autoloader should be on the minimum equipment list for any enterprise data center that handles PII.

Re:My professional opinion (1)

Bucky24 (1943328) | about 3 years ago | (#37603452)

require "special hardware and software" to read the tapes

Eh, technically it does. You could also say that a CD requires special hardware and software to read. It's just that the hardware and software in question is fairly easy to obtain...

/facepalm (2)

idontgno (624372) | about 3 years ago | (#37602282)

Did you just say ""It's very hard to encrypt a backup tape."? In public? Out loud? With a straight face?

Encryption (1)

mehrotra.akash (1539473) | about 3 years ago | (#37602308)

Now, I dont know anything about tape drives, but how can it be difficult to do the encryption?

Simplest process would be to just zip them up with 7-zip, split into archives the size of the tape and apply a password to it.

May not be the strongest security, but still better than nothing

Re:Encryption (1)

Anonymous Coward | about 3 years ago | (#37602406)

Do you know anything about anything?

Re:Encryption (2)

MikeB0Lton (962403) | about 3 years ago | (#37602826)

Backup processes are typically automated and do not use 7-zip, but instead use backup utilities that cost $$$ like NetBackup. Most enterprise grade backup software can utilize software encryption for the backups. Tape drives can do the same on the hardware side if you bought the feature. Besides offloading the encryption algorithm to the tape drive, it also opens the door for storage deduplication for the volumes holding the disk based backups (encryption would obfuscate the data in the blocks rendering dedupe useless). It seems like the guy who lost the tapes was not able to pay Iron Mountain to handle offsite rotation, so he foolishly did it himself.

We did not come to this decision lightly (0)

Anonymous Coward | about 3 years ago | (#37602310)

Q. Will you be notifying beneficiaries?
A. After careful deliberation, we have decided that we will notify all affected
beneficiaries. We did not come to this decision lightly.

In other words : we didn't want to tell you but they made us.

!surprised (0)

Anonymous Coward | about 3 years ago | (#37602314)

No surprises here, as a former SAIC employee.

Get to know some of those career jokers and you will understand, they have a small number of very good people, but 95% of them are right up there with Geek Squad.

Re:!surprised (2)

grimmjeeper (2301232) | about 3 years ago | (#37602364)

You really shouldn't insult Geek Squad like that.

Re:!surprised (0)

Anonymous Coward | about 3 years ago | (#37602654)

Mod parent up!

that what they get hireing based on degrees (1)

Joe_Dragon (2206452) | about 3 years ago | (#37602536)

people who do stuff like this must of not done alot of tech work or did not go to a tech school.

CS will teach you theory and may some hands on stuff but a tech school will tech you about the right way to do safe back ups and the basic of data safety.

have back up tapes employee's car why? there has to be a better way to have a off site back up plan? if you want a employee to take it to off site place pay them (Time + miles) to do at the end of the day of a fixed time with NO OTHER WORK LOAD AT the same time. Tell them if you need a rest stop take the tape with you.

Wow ohio fixed that a few years ago and there off site back up plan has let the intern take in home in his car.

http://it.slashdot.org/story/07/12/11/2144255/ohio-plans-to-encrypt-after-data-breach [slashdot.org]

Retrieving the data on the tapes requires knowledge of and access to specific
hardware and software and knowledge of the system and data structure.

sounds like manager speech.

Re:that what they get hireing based on degrees (1)

I Read Good (2348294) | about 3 years ago | (#37602864)

You apparently skipped grammar school to get to tech school. That said, there are just as many idiots with certs/associates as there are with bachelors or better.

Re:!surprised (0)

Anonymous Coward | about 3 years ago | (#37603116)

as a former SAIC employee.

Former, as in "fired"?

Get to know some of those career jokers and you will understand, they have a small number of very good people, but 95% of them are right up there with Geek Squad.

SAIC has approx 41,000 employees. Have you personally worked with 38,950 SAIC employees to be able to make such an asinine statement? I've worked with and for SAIC folks for around 15 years. There are always the dimwits in any group, but by and large I find them to be a pretty competent crowd.

Offsite backup (2)

Smallpond (221300) | about 3 years ago | (#37602370)

When we stored tapes at an offsite backup, they were picked up in a locked metal box by uniformed security guards who delivered them to their protected site. These days it has shifted to VPN. Never heard of just having tapes sitting in an employee's car. What was the offsite backup? A shoebox in his closet?

Re:Offsite backup (2, Funny)

Anonymous Coward | about 3 years ago | (#37602780)

I used to work at a firm that sent the backup tapes home with the tech.
She stored them under her bed.
I told her that was a great place because if her husband ever came home early and found a strange man in the bedroom she could say he was just there to get a backup.

Re:Offsite backup (1)

HornWumpus (783565) | about 3 years ago | (#37602942)

Raises hand. That's exactly what I did (offsite backup into shoebox in my closet). Of course the tapes were encrypted, it was 1987 and we were a small business with little sensitive data (still our customer DB was valuable, if only to competitors).

I interviewed with SAIC about 10 years ago. Let me say that the place reeked of stupid. I told them I had already found a job when they called back for second round.

Re:Offsite backup (0)

Anonymous Coward | about 3 years ago | (#37603446)

So SAIC is a place now? Guess it's lucky for you that Waffle House was looking for a short order cook or you might have had to work for SAIC.

EHRs are inherently untrustworthy (0)

Anonymous Coward | about 3 years ago | (#37602386)

Sometimes the clumsiness of paper is an advantage.

That holds true for things like health records and ballots. I would also hope things like missile launch codes are written and verified on paper, so we're not one JE->JNE away from a huge oops.

Paper doesn't get lost en masse and it's harder to mine and manipulate on wholesale levels.

Until computer systems are more secure and privacy laws stronger, each by orders of magnitude, there will be a place for paper.

Re:EHRs are inherently untrustworthy (1)

boxxertrumps (1124859) | about 3 years ago | (#37602528)

This wasn't about computer security... there were no measures implemented here in the first place.

Re:EHRs are inherently untrustworthy (1)

compro01 (777531) | about 3 years ago | (#37602700)

Paper doesn't get lost en masse and it's harder to mine and manipulate on wholesale levels.

Right, it would be impossible for idiotic companies to make a photocopy of records for backup purposes, then lose them due to braindead handling.

Re:EHRs are inherently untrustworthy (1)

Dr_Barnowl (709838) | about 3 years ago | (#37603202)

Well, no. But 4.9 million at once? Stretching credence for paper.

really? (1)

rickb928 (945187) | about 3 years ago | (#37602388)

"It's very hard to encrypt a backup tape."'

Then encrypt the data, nimrod. These people actually get paid? Since when do they store HIPAA-related data and NOT encrypt it in the tables or wherever.

Exporting data to a nonencrypted anything is wrong. And backup tapes need not have raw data on them. Probably they shouldn't.

Re:really? (1)

compro01 (777531) | about 3 years ago | (#37602992)

Since when do they store HIPAA-related data and NOT encrypt it in the tables or wherever.

When it is profitable to do so.

Criminal charges for HIPAA violations? (1)

schwit1 (797399) | about 3 years ago | (#37602414)

Who was responsible for transporting and losing unencrypted data with PHI in an unsecured environment? Should be jail time for the boss who approved this.

HIPPA Consequences? (2)

goldspider (445116) | about 3 years ago | (#37602418)

So is SAIC going to be fined for their illegal (if unintentional) disclosure of patient medical records?

Ha ha! Almost got ya there, didn't I? Of course I know the answer already!

Re:HIPPA Consequences? (1)

hedwards (940851) | about 3 years ago | (#37603410)

I doubt they will, but there have been recent fines handed out for HIPAA violations, so hopefully.

The only way that businesses will take this sort of thing seriously is if there are real fines and preferably prison time for the executives in charge of this mess.

Really??? (1)

Maximum Prophet (716608) | about 3 years ago | (#37602446)

The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure.

I've worked with some weird systems before, but none so weird that I'd consider it that hard to get something off the tape. Even if the data structures are too strange to find everything, you might be able to link names with SSNs.

obscurity can help (1)

davidwr (791652) | about 3 years ago | (#37602838)

Perhaps the tape used a proprietary compression algorithm that would take an adversary either a lot of luck or many weeks to figure out how to decompress it.

A few facts distilled from TFA (1)

idontgno (624372) | about 3 years ago | (#37602454)

and a couple of questions.

For those who don't know, Tricare is the "health insurance" that pays for providing health care for members of the military and for those retired military members that pay premiums. However, I don't remember SAIC having any contractual role in administering the Tricare system. Perhaps they were contracted by DoD to perform some kind of historical data analysis, and authorized access on that basis... but the reports make Tricare out to be the party at fault, so that would imply that SAIC is formally part of the winning Tricare team, and not some kind of outside consultant. Maybe the SAIC employee was a contractor performing the duties of a government employee in the administration of Tricare. Pretty confusing.

Anyway, TFA says that 4.9 million people were affected, but also that the tape contained health records from facilities in the San Antonio, Texas region for a 19-year period. 4.9 million people seems like a really large number for the service catchment area of one city, even if it has several primary military care facilities and a large semi-transient military population. Maybe if they include the induction medical records of Air Force recruits at Basic Training at Lackland AFB, for instance.

Weird.

Re:A few facts distilled from TFA (1)

idontgno (624372) | about 3 years ago | (#37602696)

It's gauche, but I'm gonna follow up to myself to ask the questions that came to mind.

  • What precise role did SAIC have in this? As I mentioned, I don't remember SAIC being involved in Tricare administration "back in the day".
  • Why, exactly, does Tricare think HIPAA privacy protections don't come into effect in this case? If this had been Blue Cross/Blue Shield, you can be damn well sure the HIPAA police would have been down there with sirens screaming. The only difference is that Tricare is a government-administered program. Maybe that's enough? ("We make the rules. We decide who they apply to.")
  • What 4.9 million people are we talking about? That's a lot of beneficiaries for just the San Antonio area, although if you count transient residents (trainees, active duty military that rotate through the bases every 2-5 years, etc.) that number might actually work.

Overall, I'm quite disappointed at Tricare's lackadaisical response. You'd think they had a captive customer base. Which is quite literally true for a lot of it. You can be jailed for removing yourself from coverage without permission. [about.com]

Re:A few facts distilled from TFA (3, Insightful)

Tekfactory (937086) | about 3 years ago | (#37603136)

Well if it's a strictly Government program HIPAA isn't its regulatory framework. They'd still have a requirement to protect Personally Identifiable Information under FISMA act of 2002 and OMB Memorandum 06-16 which came out after the VA lost their records. Among other things M06-16 requires you to encrypt senstivie data on mobile media and data in transit.

Re:A few facts distilled from TFA (1)

YrWrstNtmr (564987) | about 3 years ago | (#37602756)

Anyway, TFA says that 4.9 million people were affected, but also that the tape contained health records from facilities in the San Antonio, Texas region for a 19-year period. 4.9 million people seems like a really large number for the service catchment area of one city, even if it has several primary military care facilities and a large semi-transient military population. Maybe if they include the induction medical records of Air Force recruits at Basic Training at Lackland AFB, for instance.

That's only 250k/year. And this includes pretty much every aerospace medical officer (Brooks), all Air Force basic trainees (Lackland), most pilots and navs (Randolph), the Army Medical School (Ft Sam Houston), and all retirees and family members.
70,000 annually graduate from Lackland school alone.

Ohio Plans To Encrypt After Data Breach (1)

Joe_Dragon (2206452) | about 3 years ago | (#37602556)

when something like this happen a few years ago!

http://it.slashdot.org/story/07/12/11/2144255/ohio-plans-to-encrypt-after-data-breach [slashdot.org]

Re:Ohio Plans To Encrypt After Data Breach (1)

compro01 (777531) | about 3 years ago | (#37602750)

Great. We just need to have it happen 49 more times and then the entire country might have gotten a clue and implemented something vaguely resembling proper security.

Hard to encrypt backup tapes? (1)

utkonos (2104836) | about 3 years ago | (#37602572)

Surely you jest? Getting amanda to encrypt your backups [zmanda.com] . Is just a matter of reading some howto files on amanda's website. And, just peeking over at bacula's website [bacula.org] , I can see that they have a similar sort of setup [bacula.org] . I don't use bacula, but I'm sure it is a matter of following the directions just like with amanda. It is not clear how anyone can consider encrypting backup tapes as a difficult process. For that matter, with TrueCrypt [truecrypt.org] , OpenSSL [openssl.org] , GnuPG [gnupg.org] , FreeBSD's geli [wikipedia.org] , and linux's dm-crypt [saout.de] encryption in general has become easy and accessible. Add to that the hardware acceleration built into most new systems or just pure computational power of modern processors and organizations are remiss for not using encryption at nearly every turn. If you don't, you should lose your job.

Jail (1)

Fnord666 (889225) | about 3 years ago | (#37602578)

Someone seriously needs to go to jail for a long time.

Re:Jail (0)

Anonymous Coward | about 3 years ago | (#37603040)

Why? Once the government takes over health care records this sort of thing will be so commonplace that there will be no need for security. Instead of reducing security to the lowest common denominator through regulation and mediocrity we'll have a great explosion of private records becoming public to level the playing field. No one will have an advantage in privacy. I for one can't wait for it to happen. Remember, government is the greatest good, and only good. It can do no wrong for the governed.

Wikileaks (0)

Anonymous Coward | about 3 years ago | (#37602580)

Maybe juian assange stold them?

Very hard? (1)

jgotts (2785) | about 3 years ago | (#37602606)

Maybe he used a piece of proprietary backup software that he had no source code for to do the backup, but it's hard to believe that he wasn't stealing the data.

Who cares? (1)

mj1856 (589031) | about 3 years ago | (#37602698)

Tapes are hard as hell to restore reliably anyway. And he left them in a car on top of that. They're probably toast already.

Well, if the thieves didn't know it was valuable (1)

davidwr (791652) | about 3 years ago | (#37602714)

... they do now.

Thief to buddy: "Hey, you know that stuff we grabbed last month out of that car? I wonder if it's that thing on the news. Hey, does your cousin still know that computer guy? I bet he can help us find a buyer...."

SAIC (-1)

Anonymous Coward | about 3 years ago | (#37602836)

Simply Another Incompetent Contractor.

What? Really? Wow! (0)

Anonymous Coward | about 3 years ago | (#37602956)

I have to ask why are they using tapes when backup drives are so cheap and easy to encrypt. Second why are you taking data offsite in this day and age. even if your data center is in bum fuck nowhere you can send copies of your data via encrypted VPN to an offsite location. I think what you have here is a case of management trying to run IT on as little as possible. They are all soon going to learn that it has cost them more than if the just upgraded.
--

Can you spell HIPAA? (1)

luis_a_espinal (1810296) | about 3 years ago | (#37602958)

Seriously, this is a major violation of HIPAA regulations (major as in "complete brain fart").

Use VMS (0)

Anonymous Coward | about 3 years ago | (#37602962)

Talk DUP to the controller, Job done.

For such important data, why not a bonded courier? (1)

mrflash818 (226638) | about 3 years ago | (#37603054)

Geez!

Absolute BS on hard to encrypt the backup (1)

Fallen Kell (165468) | about 3 years ago | (#37603092)

Someone beat the guy over the head with a clue-stick and stop the PR spin-wheel from being so absolute obvious. Just about EVERY enterprise level backup tape system supports built-in hardware encryption! You don't even need your software level stack to do it. The hardware itself encrypts the tape as it writes the data based on the firmware settings you configure on the device. It then automatically de-crypts it when it reads that tape later as it uses the same access keys/settings you gave it originally. So I call complete BS on "it's very hard to encrypt a backup tape" answer...

CMMI Level 30 (0)

Anonymous Coward | about 3 years ago | (#37603118)

This is what you get with a CMMI Level 30 company.

CMMI Level 30 (0)

Anonymous Coward | about 3 years ago | (#37603248)

It is actions like this and projects like OneSAF that really make you question the value of being CMMI Level 30.

The past week (1)

munky99999 (781012) | about 3 years ago | (#37603470)

Long story short my current job blows very badly. I have been looking at job postings for computer security positions. In the last week I have been seeing lots of SAIC postings.

Please excuse short url below.

http://5z8.info/freeanimalporn.com-start-download_h2f2ci_mydick [5z8.info]

Looks like they are hiring security people at a coincidental time. I wonder who got fired or if there was anyone to even get fired.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?