Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

'Wall of Shame' Exposes 21M Medical Record Breaches

Soulskill posted more than 2 years ago | from the you-can-trust-us dept.

Security 112

Lucas123 writes "Over the past three years, about 21 million patients have had their unencrypted medical records exposed in data security breaches that were big enough to require they be reported to the federal government. Each of the 477 breaches that were reported to the Office for Civil Rights (OCR) involved 500 or more patients, which the government posts on what the industry calls 'The Wall of Shame.' About 55,000 other breach reports involving fewer than 500 records where also reported to the OCR. Among the largest breaches reported was TRICARE Management Activity, the Department of Defense's health care program, which reported 4.9 million records lost when backup tapes went missing. Another five breaches involved 1 million or more records each. Yet, only two of the organizations involved in the breaches have been fined by the federal government."

Sorry! There are no comments related to the filter you selected.

Punish them. (4, Insightful)

Nyder (754090) | more than 2 years ago | (#40913591)

Unless the various companies that lose the data are punished, nothing will change.

Re:Punish them. (1)

crafty.munchkin (1220528) | more than 2 years ago | (#40913639)

How should they be punished?

Re:Punish them. (5, Informative)

Anonymous Coward | more than 2 years ago | (#40913685)

With their wallets?

Wasn't there an article recently on Slashdot about how the IRS is likely to pay $21 billion dollars over the next 5 years because of identity theft?

Re:Punish them. (1)

Anonymous Coward | more than 2 years ago | (#40914911)

Not the IRS. The taxpayers. Us. Because our flunkies failed to take basic security precautions.

Re:Punish them. (1)

Opportunist (166417) | more than 2 years ago | (#40915859)

Punishing companies is punishing their customers. And in case of a federal "company", that means that you foot the bill. Now you get punished twice, not only are your records public property now, you also get to pay for it.

At least with government facilities, it would work to tie the responsibility to the C-Level (it's kinda hard to tell a private company how to handle it). Can the responsible CISO prove that he did everything in his power to prevent it? Are procedures in effect that should avoid such failures, are they tested and audited? Human error can be reduced or even avoided with relevant safety precautions and procedures, and while I don't think that blaming some C-Level for blunders below (although I'm quite sure that some action will take place in such a case), the first question to ask is whether or not procedures are in effect that should prevent such an incident. If there are not, kick the responsible C's nuts!

Re:Punish them. (4, Insightful)

rgbrenner (317308) | more than 2 years ago | (#40916295)

Punishing companies is punishing their customers

Bullshit. I'm tired of this line.

When a company is punished, it raises the cost for them to do business, resulting in price increases for customers.

For some reason, you stop there. But it doesn't end there.

The customers, who can chose where to spend their money, will go to the cheapest retailer... leaving the punished company with fewer customers, less market share, etc.

Customers are not forced to buy from a company.. so fining 1 company is NOT punishing customers.

Re:Punish them. (1)

Opportunist (166417) | more than 2 years ago | (#40916637)

It's kinda different with government agencies. I can't simply go to another IRS if they up the fees...

Re:Punish them. (0)

Anonymous Coward | more than 2 years ago | (#40916663)

Not in medicine, or IT in general. Remember that any software driven business has an established monopoly. Your example only works in a competitive environment. But better on topic, the companies in TFA are insurance companies. Any fines will most likely be made up by denying the equivalent amount in claims, hurting the customer.

Re:Punish them. (1)

ahabswhale (1189519) | more than 2 years ago | (#40919283)

Insurance companies already do whatever they can to avoid paying a claim so your argument doesn't fly.

Re:Punish them. (0)

Anonymous Coward | more than 2 years ago | (#40917593)

"The customers, who can chose where to spend their money"

Not for long Jack, ever hear of the ACA?

Your choices are being limited every day and quality and quantity is correspondingly going down.

Even been to a DMV?

Re:Punish them. (1)

Anonymous Coward | more than 2 years ago | (#40917753)

Well tired or not you better get used to it because it's the truth. Let's say you have a company, oh I don't know like you local power company. Where else are you going to take your business? What happens when company A,B, and C are the only ones providing a service you happen to need and all get fined? Are you still going to tell me that there's no impact to consumers? You're the one that's full of bullshit. Try thinking beyond one isolated incident. The government fining companies does not make things better. It leaves the company even less resources to deal with the problem then they had before. I know it's emotionally satisfying, but it ultimately does not solve the problem. Companies hire people. People make mistakes. When the breach is obviously caused by someone not doing their due dilligence then fire that person, if it's a case of a company not wanting to spend the necessary money to make it secure, then I'd be all for forcing them to implement better security, but don't tell me writing a check to the feds fixes the problem.

Re:Punish them. (1)

ahabswhale (1189519) | more than 2 years ago | (#40919165)

wtf are you talking about? Why would my local power company have private health care records? Try providing a valid example.

Re:Punish them. (1)

morgauxo (974071) | more than 2 years ago | (#40919895)

Bullshit back at you.

Between Insurance company rackets (in-netowork vs out of network coverage) and government enforced monopolies (drug patents, procedure patents, etc...) and the simple economics of geography (few people in NY are going to doctors in CA for an extreme example) there really aren't many choices if any at all for most people.

Stop slapping companies on the wrist and start slapping individuals into prison. That is the only way to solve the problem.

Re:Punish them. (1)

jellomizer (103300) | more than 2 years ago | (#40919427)

We are fining you because you didn't have the money to get a modern system.

Re:Punish them. (5, Informative)

Anonymous Coward | more than 2 years ago | (#40914711)

Criminal charges against the CEO, CIO and CSO level. Or at least civil charges.

I'm currently working on a project with a major regional medical HMO. What I've found in 3 months of digging makes me want to *never* have a friend or family go to any of their affiliates. There is zero recognition of privacy -- admins are routinely passing round medical records of celebrities. Their idea of 2 factor authentication was forcing someone to login with the same credentials twice in a row. What appears to be security (doctors, nurses using RFID badges to login and out) is theatre only -- only a single ID is associated with all RFID badges for logins. A complete farce.

Why? Because even when caught there is no penalty. Make the penalty meaningful to the people running things, and you'll see cultural changes pretty damn fast.

Re:Punish them. (4, Interesting)

Eskarel (565631) | more than 2 years ago | (#40915483)

Hospitals are complex places. Lots of staff, lots of data being transferred between systems some of which are insecure and there's nothing you can do about that, because they're required, and no competitors exist.

The main reason that the number of breaches in hospitals is as low as it is is because for the most part people don't target hospitals so relatively basic security functions. Now of course we have people doing it "for the lulz" or to prove some sort of point which makes health care even harder to do.

In a hospital environment you have to cater for doctors which no one other than the person running their accreditation even knows exist, nurses who view IT as a barrier between them and what they actually do, patients who want miracles, and health funds who seem to desire complexity for the sake of complexity. Connect all that up to IT products which haven't been updated since the mid 90's, never will be updated and can't be replaced because the group that would certify a competitor makes the product in question, add in vastly disparate WAN locations, a need for instant performance and 5 nines up time all on a shoestring budget and you'll start to get a picture of hospital IT.

In the end you really have to ask yourself, is it better or worse to risk having a portion of your medical record stolen, or to die because the doctors couldn't get the information they needed quick enough. Sadly that's about how the choices line up, hospitals aren't generally negligent, it's just the nature of the game.

Re:Punish them. (0)

Anonymous Coward | more than 2 years ago | (#40916463)

Hospitals are complex places. Lots of staff, lots of data being transferred between systems some of which are insecure and there's nothing you can do about that, because they're required, and no competitors exist.

Most lost data is not from network vectors, but from lost portable devices.

Given that the majority of corporate systems out there are Windows, with most organizations heading towards from XP to 7, how hard is it to mandate that all removable devices be encrypted with BitLocker?

Re:Punish them. (1)

tgd (2822) | more than 2 years ago | (#40917025)

Hospitals are complex places. Lots of staff, lots of data being transferred between systems some of which are insecure and there's nothing you can do about that, because they're required, and no competitors exist.

Most lost data is not from network vectors, but from lost portable devices.

Given that the majority of corporate systems out there are Windows, with most organizations heading towards from XP to 7, how hard is it to mandate that all removable devices be encrypted with BitLocker?

Win7 is still pretty rare to find in provider settings like hospitals. There's no money for updated hardware, too many one-off systems to revalidate on the new OS. Its coming, for sure, but its coming VERY slowly.

Re:Punish them. (1)

BVis (267028) | more than 2 years ago | (#40918547)

From the Wikipedia article [wikipedia.org] :

The authors recommend that computers be powered down when not in physical control of the owner (rather than be left in a "sleep" state) and that the encryption software be configured to require a password to boot the machine.

Nope, and nope. If doctors are allowed to access the system on laptops or desktops, they will not enter a password or turn the laptop off. In a hospital environment, what the doctor wants, the doctor gets, no matter how insecure (or downright illegal) it might be. Until this fundamental problem is addressed, your medical information is not secured.

This also doesn't address the problem of medical staff bringing their own devices like Android tablets or phones. They will demand access to sensitive data on these devices, and they will not stand for having to connect to a VPN to do so. Nor will they accept a restriction on accessing the data from a separate internal network. (And forget about securing wifi. If a doctor finds that he can't "just connect" to a wifi network, he will raise holy hell and try to get half of IT fired.) A lost phone means that whoever has it will have complete access to everything the doctor has. And, since the hospital doesn't own the device, they can't remotely wipe it either.

Until there is a sea change in health care IT, our medical records will continue to be stolen. That sea change will involve ALL health care providers to adopt a set of extremely restrictive standards (like HIPAA, if it were properly enforced) and refuse to allow medical personnel to access data in violation of these standards, on pain of termination / loss of privileges, things will not improve. Anyone more senior than an RN has nothing to fear from breaking security protocol as it stands right now. Health care IT needs to be able to say "No" and have the full force of the hospital administrators behind it, no matter who they're saying "No" to. The most valuable, highly skilled doctor in the world must find himself unable to practice medicine if he does not follow the rules.

But, the current combination of doctor ego and clueless administration (not to mention egotistical and clueless insurance providers) means that things will not change. You have no privacy. Don't get sick.

Re:Punish them. (0)

Anonymous Coward | more than 2 years ago | (#40916877)

Yeah! But these guys use privacy laws to prevent us from knowing things like our own lab test values, and they even ban us from knowing what they actually charge for services from various customers like the fact that they charge cash paying customers 11 times what they charge insured people causing an extortion racket for service and insurance.

Re:Punish them. (0)

Anonymous Coward | more than 2 years ago | (#40917759)

I worked in Healthcare IT for 13 years. This comment really hits it on the head.

Re:Punish them. (2)

Thorodin (1999352) | more than 2 years ago | (#40916465)

Yes, there is a penalty. It's called a fine by CMS for a HIPAA violation. Providers (doctors and hospitals) are being with with fines by CMS. This idea that companies are not being fined is not true. Jeez, just do a quick search on "hipaa+fine" and see what you get. Even /. had a story on it (http://yro.slashdot.org/story/11/02/25/2021232/first-ever-hipaa-fine-is-43m).

Re:Punish them. (1)

Thorodin (1999352) | more than 2 years ago | (#40916467)

"..hit with fines."

Had a similar experience as a developer (0)

Anonymous Coward | more than 2 years ago | (#40919437)

Been there myself, I was hired to help secure code in various programs (ftp, making it sftp instead, for one, & in others, scrambling folks' SS#'s for outputs, into a "serial # for said person" instead (yes, the company concerned (an insurer) was putting out SSN#'s onto folks' cards for care they received @ institutions like hospitals, private doctors, clinics, you-name-it). Like YOUR example? They also had CELEBRITY HEALTHCARE DATA TOO (not people to mess with - they have MONEY and attorneys, unlike many "normal folks").

In the course of doing so, I found their antivirus program (TREND) was NOT setup correctly and when I pointed this out, privately to both after a meeting, as well as what can be done to "security-harden" workstation & printer end points as well as servers?

Heh - They tried to say I was "hacking their network", lol, wtf!?!

* Man - I was stopping them from BEING HACKED, & my own workstation had viruses on it because of the incompetence of the CIO - who gave me someone else's machine without WIPING mine clean when I got it and having it setup fresh... it was infected/infested the DAY I GOT IT, which I caught!

(That CIO who was also head network engineer no less? He was one who had never done the job before as a pro, yet had that title (boggles the mind - he had a cert & that is about it, but no years to decades of hands on professional experience as a network admin/engineer/tech himself)).

They ended up getting FIRED too, when it was found out they used AVG's freeware in a CORPORATE ENVIRONS (cost them big bucks, and is illegal/a "no-no"...).

Yes - THAT is what you get, working for incompetents people!

I.E. -> They will fire you IF you show their incompetence even when YOU'RE TRYING TO HELP THEM and the company itself, which is what happened to myself, when I pointed out that weakness alone (and others, such as not securing 'endpoints' like workstations and printers, via industry best practices for that!)

To my points, they said it would "take too long & too many man hours to do"!

(Oh, really? A few .reg file merges via logon scripts &/or AD policies set @ group level would do it, in minutes... testing only would take a few minutes more over the course of days if users had hassles, you patch for THEM, specifically (like websites they need to reach for instance, or other things like files on the LAN/WAN)).

Accept it, most of us have "bosses" that do NOT know what the f they are talking about or doing in this field, and yet, they are our "superiors"... it's gotten better over time since I started out professionally in their field back circa 1994 onwards, but it's STILL out there.

QUESTION: How they are TRULY "superiors" & get their titles, especially without having done the job for years to decades successfully first, I will never understand. Especially NEGLIGENT practices like I noted above being done by they, as well as fuckup work for security on THEIR parts!

No man should lead other men until he's "walked a mile in their shoes", which not only lends him actual contributable experience, but also gains the respect of your subordinates.

E.G.-> A good #'age of "mgt. superiors" in this field, up to the CIO level, haven't ever done the jobs themselves, & merely hire those who DO know what they're doing, to get by!

(Just so they can 'take the credit' when things go well & put THAT on their resume, stuff like "I headed this project" ommitting the fact they NEVER DID A DAMN THING THSMSELVES HANDS ON TO GET IT DONE, & ARE MERELY TAKING CREDIT FOR THOSE THAT DO, like you see in trade rags in our field).

Get used to it, incompetents & a-holes abound, especially in mgt.., why? So they can "go under-budget" & pinch pennies (being penny-wise, but POUND foolish due to negligence lawsuits due to shoddy security practices), & fuck the company (and, thus, YOU TOO).

APK

P.S.=> As a pal of mine put it:

"Screw them - they'll get caught eventually, just keep your mouth shut, do your work, & get paid" which I somewhat agree with, but when the lawsuits come "crashing-down", the EASIEST THING TO CONTROL, from a mgt. & bean-counter perspective, is PAYROLL... you'll end up getting "the axe" anyhow when the shit hits the fan in these cases!

... apk

Re:Punish them. (1)

Hatta (162192) | more than 2 years ago | (#40918245)

Throw the executives in jail.

Re:Punish them. (1)

c0lo (1497653) | more than 2 years ago | (#40913669)

Unless the various companies that lose the data are punished, nothing will change.

Achmmmm... Tricare [wikipedia.org] you say?

The ultimate responsible organization for administration of Tricare is the U.S. Department of Defense Military Health System, which organized the Tricare Management Activity (TMA)

In this case, what you suggested amounts to "government should punish itself" - something not very common for the US govt, wouldn't you say?

Re:Punish them. (5, Insightful)

vux984 (928602) | more than 2 years ago | (#40913885)

In this case, what you suggested amounts to "government should punish itself" - something not very common for the US govt, wouldn't you say?

Nor terribly productive.

At best, they increase their budget by the amount of the fines, and then raise taxes to cover the increased budget.

At worst, they pay the fine without increasing their budget, and make cuts elsewhere... thereby ensuring that not only is there no money to improve the security that led to the first breach, but now they are probably running shorthanded increasing the odds of a second breach...

Punishing governement and large corporations is generally meaningless. We have to pierce the veil and go after individuals within them... fine or even imprison them personally.

Re:Punish them. (1)

besalope (1186101) | more than 2 years ago | (#40914177)

Per the Department of Health and Human Services (HHS) the organizations that have breaches of information are in violation of HIPAA and are fined [eweek.com] .

Re:Punish them. (1)

slashmydots (2189826) | more than 2 years ago | (#40914627)

They would pass any fee straight to their customers.

Re:Punish them. (2)

superwiz (655733) | more than 2 years ago | (#40914827)

That is actually not accurate in this case. Imposing a universal surcharge on all providers would make them pass that fee to the customers. Imposing fees only on the guilty would make the providers who are innocent of such violations more competitive (they wouldn't have the added costs of the fees). So if you believe in markets, the effect of such charges would be to make compliant behavior more competitive in the market place.

Re:Punish them. (0)

Anonymous Coward | more than 2 years ago | (#40917639)

Great idea!!! Let's fine the crap out of these businesses. That'll show 'em who's in charge. We all know that these businesses operate in a vaccume and never pass their costs on to those who use their goods and services. These evil corporations need to pay so that the government has enough money to pay folks not to work and depend on the ever benevolent feds.

Re:Punish them. (1)

jellomizer (103300) | more than 2 years ago | (#40919401)

They are punished.
The problem is Most Medical Software is Mizerably out of date. The new stuff that comes out is still a decade behind what other industries have. And if you look at the list the core of the problems isn't as much people hacking the network (there are a few occurances) but mostly due to work flow processes that no one has the guts to change. Where things are printed on paper. The paper get lost and found by someone else. It is very hard to explain to MD's how email is insecure...

Oddly enough to help improve this problem Medical Records need to be able to share much easier. Over establish secure channels, and less with paper moving, faxing, scanning and emailing...

Worry Not (1, Funny)

Anonymous Coward | more than 2 years ago | (#40913647)

Now that the US government is taking over healthcare this problem will disappear!

Legislation Will Be Introduced (-1, Offtopic)

Greyfox (87712) | more than 2 years ago | (#40913683)

As soon as an unnamed senator's (you know who you are!) dog herpes is revealed to the press.

I'm sure he got it from the licking...

Shopping-online for Swiss watch, High-quality Repl (-1, Offtopic)

tommyjim (2703029) | more than 2 years ago | (#40913759)

Sales rolex replica, High-quality replica rolex watches,Top brand watches,all luxury watches for sale cheap and cheapest only $59,Buy cheap watches online at http://www.replicawatches007.com/ [replicawatches007.com]

Re:Shopping-online for Swiss watch, High-quality R (-1)

Anonymous Coward | more than 2 years ago | (#40913785)

Sales rolex replica, High-quality replica rolex watches,Top brand watches,all luxury watches for sale cheap and cheapest only $59,Buy cheap watches online at http://www.replicawatches007.com/ [replicawatches007.com]

F@ck Y0u

Wait, what? (3, Insightful)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#40913801)

I'm impressed. I wouldn't have guessed that insurance outfits had anybody familiar with the concept of 'shame' available to coin such a nickname...

Where do I apply for the "HDD encryptor" position? (5, Interesting)

c0lo (1497653) | more than 2 years ago | (#40913807)

TFA (second page):

On March 9, Blue Cross Blue Shield of Tennessee (BCBS) was fined the maximum $1.5 million for 57 unencrypted computer hard drives that were stolen from a leased storage facility in 2009. BCBS has since encrypted all of its hard drives, representing 885TB of data.
BCBS said it spent more than 5,000 man-hours on the encryption effort, which cost the company $6 million.

Say they used new HHD-s at $100 for a 1TB HDD -> HDD cost=$88,500. F*** it... let's be generous and say all the equipment amounts for $1M.
The rest should be labour-cost, isn't it? Which means $1000/h... Seems to be a good trade to be in.

Re:Where do I apply for the "HDD encryptor" positi (4, Funny)

ColdWetDog (752185) | more than 2 years ago | (#40913881)

No, No, No - you have it all wrong.

Say $100K for the drives, another 50K for the 'Enterprise Level' software, another 100K for labor.

The other 5.5 million for upper level executive compensation.

Thinking this stuff through is hard.

Re:Where do I apply for the "HDD encryptor" positi (3, Interesting)

linatux (63153) | more than 2 years ago | (#40914069)

I'd like to think that they use higher-grade drives than you buy at Fry's or where-ever. Would also assume RAID5 or better. Add in the fact they were probably plugged into a DMX or similar & $6M starts sounding reasonable.

Why they weren't encrypted from the start is the real question.

Re:Where do I apply for the "HDD encryptor" positi (1)

PNutts (199112) | more than 2 years ago | (#40914155)

Why they weren't encrypted from the start is the real question.

HIPAA only recently grew teeth that makes non-compliance painful.

Re:Where do I apply for the "HDD encryptor" positi (0)

Anonymous Coward | more than 2 years ago | (#40914835)

Because it's too a boring topic for the BHBs to deal with

Re:Where do I apply for the "HDD encryptor" positi (2)

sergentzimm (985611) | more than 2 years ago | (#40914191)

I work with BCBS, they are idiots. It usually takes three people to give me three different wrong answers. It probably took 10 people per hard drive.

Re:Where do I apply for the "HDD encryptor" positi (4, Funny)

c0lo (1497653) | more than 2 years ago | (#40914293)

It usually takes three people to give me three different wrong answers.

That's grossly inefficient... in some of the places I worked, I only needed a single person (my manager) to get 3 different wrong answers.

Re:Where do I apply for the "HDD encryptor" positi (0)

Anonymous Coward | more than 2 years ago | (#40917875)

It's sad but true. It's like rolling the dice every time you have to call them on whether the person answer with be competent enough to give you any type of usable information.

Specialist please!

Re:Where do I apply for the "HDD encryptor" positi (0)

Anonymous Coward | more than 2 years ago | (#40914985)

Like everyone else, I store all my data on full harddrives.

The reality is that 885TB of data is probably spread across 50 PB (peanut butters?) of harddrives, each probably around 0.5 TB (turtle bones?). Not only does this bump up the cost of new HDs (which they probably didn't buy), but it substantially increases the number of times the IT folk had to click on the option to encrypt the drive.

I may be an intoxicated AC, but my math is better than yours.

Re:Where do I apply for the "HDD encryptor" positi (0)

Anonymous Coward | more than 2 years ago | (#40915379)

Two words: redundant storage..

Ah, yes, and backups.

Re:Where do I apply for the "HDD encryptor" positi (0)

Anonymous Coward | more than 2 years ago | (#40916407)

You missed the requirement. They didn't encrypt the drives that were stolen. They encrypted all their hard drives, I assume that means thousands of desktops and laptops

Re:Where do I apply for the "HDD encryptor" positi (0)

Anonymous Coward | more than 2 years ago | (#40916531)

You missed the requirement. They didn't encrypt the drives that were stolen. They encrypted all their hard drives, I assume that means thousands of desktops and laptops

Aren't you missing that it's still $6M for 5000 man-hours?

Our secret health (5, Insightful)

mcelrath (8027) | more than 2 years ago | (#40913943)

And why do we care who has our medical information?

Because in the US, we've decided that the only people that get health care are those with jobs. So getting a job is deeply tied to one's state of health. Accidental leaking of your health care information could lead to losing your job, or failure to obtain one. Other laws try to tackle that, but nonetheless, we all have the fear that if our potential employer (especially) knew how much we might really cost, we wouldn't get that job. And the fact of the matter is that no employer wants to employ a sick person if they can help it.

We'd be better off decoupling health care from employment. One side effect would be that medical information wouldn't be so secret. This is rather important when you consider that that information should perhaps be shared among health care providers, patients with the same ailments, and especially, family (possibly distantly related but genetically susceptable, for instance).

Re:Our secret health (0)

tompaulco (629533) | more than 2 years ago | (#40914055)

I've decouple my healthcare from my job, but Obamacare threatens to remove my option and force me into a plan that I don't want and that just feeds more money into the insurance Fat Cats pockets.

Re:Our secret health (0)

Anonymous Coward | more than 2 years ago | (#40914149)

Then don't buy one. You'll get pay that extra $250/yr extra tax for being a liability to everyone.

And no, even the US is not fucked up enough to turn away the dying from doctors because they don't have insurance. But then the gov't (ie. everyone) pays.

Re:Our secret health (0)

Anonymous Coward | more than 2 years ago | (#40914289)

Citation needed.

Re:Our secret health (0)

Anonymous Coward | more than 2 years ago | (#40914897)

Citation needed.

Rupert Murdoch paid Rush Limbaugh to tell us that Obamacare will force everyone (meaning just the rich guys he golfs with) to pay more taxes. There's your f**king citation!

Re:Our secret health (1)

Thorodin (1999352) | more than 2 years ago | (#40916487)

Yeah, right. He asks for a citation and you come with another moronic comment.

Re:Our secret health (0, Informative)

Anonymous Coward | more than 2 years ago | (#40917683)

Here is your citation dumb shit.

http://blog.heritage.org/2009/07/31/barney-frank-public-option-is-best-way-to-single-payer/

"Barney Frank:

        Because we don’t have the votes for it. I wish we did. I think that if we get a good public option it could lead to single payer and that is the best way to reach single payer. Saying you’ll do nothing till you get single payer is a sure way never to get it. I think the best way we’re going to get single payer, the only way, is to have a public option and demonstrate the strength of its power."

Putting private insurance companies out of business and forcing people onto state run healthcare has been the goal for decades.

None are so blind as those who refuse to see.

State takes over, costs go up.

SSI Bankrupt? Check.

Medicaid/Medicare Bankrupt? Check?

Post office bankrupt? Check?

Need I go on?

And don't give me your stock attacks on Heritage, the fucking video is proof itself. Just try and deny it statist.

Idiot.

Re:Our secret health (0)

Anonymous Coward | more than 2 years ago | (#40917877)

I know. I guess he missed the poor college student working part time and ineligable for health care. That tax increase (for being an increased burden on the system) won't be that big of a deal for her. Besides the government needs the money. They always look out for our best interests. Why just look at social security. What a fine well oiled machine that is. Efficiently caring for our old people so they can retire in style. And check out our post office. What a first rate operation that is. Then there's medicare. Why with a program like that there's no need for government health care... oh wait.

Re:Our secret health (2, Insightful)

PNutts (199112) | more than 2 years ago | (#40914253)

Because in the US, we've decided that the only people that get health care are those with jobs.

We've decided no such thing.

Re:Our secret health (1)

darkmeridian (119044) | more than 2 years ago | (#40918639)

Oh, really? Have you ever tried to buy insurance by yourself if your employer doesn't provide it? It's almost impossible to get an affordable plan unless you go onto one of the socialized health care plans.

Re:Our secret health (0)

Anonymous Coward | more than 2 years ago | (#40914567)

And why do we care who has our medical information?

...

...medical information wouldn't be so secret. This is rather important when you consider that that information should perhaps be shared among health care providers, patients with the same ailments, and especially, family...

In 5-10 years, genome sequencing is going to be routine. And the privacy issues are going to be huge.

In the ideal world, it wouldn't matter if the whole world knew your genome sequence - just as it wouldn't matter if the whole world knew what you looked like naked (i.e. naked photos on the internet).

But we don't live in an ideal world, knowledge is power, and people/organizations with power do sometimes use that power to hurt others.

Particularly with regard to genome sequencing, the need for medical privacy is going to cause real harm (e.g. lots of people are going to die because genome sequences are kept secret). But, while we should work hard to make privacy less necessary (e.g prohibit large scale discrimination based on genetic conditions), we're also going to have to accept that we don't live in an ideal world and that, despite the very real costs, some degree of medical privacy is necessary.

Re:Our secret health (0)

superwiz (655733) | more than 2 years ago | (#40914875)

Because in the US, we've decided that the only people that get health care are those with jobs.

Nonsense. Pure nonsense. I pay my primary doctor cash whether I have insurance or not.

We'd be better off decoupling health care from employment. One side effect would be that medical information wouldn't be so secret.

Or so useful. Astronomy is not secret. Cause you can't do anything about it or with it. If your medical history is just as useless because you can't get treatment (a world order for which you are actively advocating despite your arguments to the contrary), then your medical history is as valuable to anyone as astronomy.

Re:Our secret health (5, Insightful)

brit74 (831798) | more than 2 years ago | (#40915101)

And why do we care who has our medical information?

I think people are concerned about the privacy implications. If you have a talk with your doctor about something personal, you'd like to believe that the entire world isn't listening in. What's that? You've got erectile disfunction? You've had mental health issues? You once tried to kill yourself? You went to the emergency room because you were high on drugs or you stuck an object where it shouldn't go? You've admitted to having lots of sex partners or you're gay and you haven't come out? You've got an STD and you'd prefer that your friends and family don't know about it?

Not only are there some potentially embarrassing secrets, but the idea that everyone can find out about your medical history can make you less likely to go to the doctor -- because there might be situations where it might be embarrassing to tell a doctor what the situation is, and much more embarrassing if the whole world could find out about it.

Re:Our secret health (2)

SonnyDog09 (1500475) | more than 2 years ago | (#40917283)

Because in the US, we've decided that the only people that get health care are those with jobs.

First, you are wrong. Medicare and Medicaid provide healthcare to the poor and the elderly. We spent close to a trillion dollars on those entitlement programs in 2010. Second, some other countries with "socialized medicine" tie health insurance to employment. Third, the making of healthcare and health insurance into a "benefit" of employment dates back to WW2, when prices and wages were frozen. Benefits were not. So, to entice workers to come work at a munitions plant, an employer would add "healthcare" benefits. If you recall, FDR was President, and he was a Democrat. So, the tying of healthcare benefits to employment in the US is their fault :-)

Re:Our secret health (1)

M. Baranczak (726671) | more than 2 years ago | (#40917955)

Because in the US, we've decided that the only people that get health care are those with jobs.

This is a misleading statement. I know plenty of people who have jobs but no health care.

Doctor-PGPatient confidentiality (0)

Anonymous Coward | more than 2 years ago | (#40913955)

I think its entirely reasonable to envision a system built on GPG wherein one could could exchange data with ones doctor. Am I alone in this? Obviously 3rd parties wouldn't be interested in such a system, but who cares if this at the end of the day is about me, the patient.

you have to be in the system (0)

Anonymous Coward | more than 2 years ago | (#40914093)

If you get medical care, unfortunately you have to be "in the system". There appears to be no option to just show up at a clinic with a broken arm or needing a wound cleaned and sewn up, or something, paying them on the spot and getting treated, all without them keeping records on you from then on out.

I wish I could do that, but it appears to not be an option. Their system WILL track you, which means you are subject to whatever data leaks they happen to have.

Re:you have to be in the system (2)

Adult film producer (866485) | more than 2 years ago | (#40914231)

Thats not exactly true. There are many private medical facilities that have rejected government funding (medicare/medicaid) and a few that have totally rejected electronic medical records with good reason.

For example, The Surgery Center of Oklahoma [surgerycenterok.com] only uses paper records (much more difficult for the government and third parties to "leak"). What's interesting about private medical facilities like this that reject medicare/medicaid is that they know the TRUE cost of performing an operation and post it on their website,

http://surgerycenterok.com/pricing.php [surgerycenterok.com]


One of the doctors at that particular medical center has a blog that some might find worth reading,

http://032a410.netsolhost.com/WordPress/?cat=6 [netsolhost.com]

Re:you have to be in the system (1)

Anonymous Coward | more than 2 years ago | (#40914319)

But you're still in their database, no? No matter how they keep it. I agree that's probably better than being in some insecure online system, but I was thinking more of a "pay and go" system. Like, I can show up at my barber, pay him $16 in cash, get a haircut, and leave, all without him tracking me across future visits and such. Seems like I should be able to show up with some minor treatable problem and have the clinic fix it, or maybe just get a checkup, pay them on the spot, all without getting into their database at all. But it doesn't seem to be possible.

Re:you have to be in the system (2)

Adult film producer (866485) | more than 2 years ago | (#40914361)

The only database you're in is a paper file cabinet at that hospital. What are the chances those paper files are leaked onto the internet or stolen from someone's parked car? Nearly zero.

Re:you have to be in the system (0)

Anonymous Coward | more than 2 years ago | (#40914387)

True, I guess.

Umm... where's the news? (3, Interesting)

besalope (1186101) | more than 2 years ago | (#40914141)

Umm... where's the news? This website has been around for YEARS. The breaches aren't anything new and anyone that is affected should've been alerted per HIPAA.

You all have no idea (1)

sergentzimm (985611) | more than 2 years ago | (#40914165)

Small doctors offices are ripe for this. The software they use is a joke. Their security is horrendous. Easy to find sql passwords. Entire health claims stored in plain text. Claim files being sent via modem transmissions. Doctors that refuse to update their software or windows environment because they are cheap... List goes on.

Re:You all have no idea (2, Insightful)

Anonymous Coward | more than 2 years ago | (#40914343)

Assumption junction, what's your function? Hookin' up word and phrases and sound bites.

Fp di34. (-1)

Anonymous Coward | more than 2 years ago | (#40914385)

iLn our gRoup [goat.cx]

Should have looked further (5, Informative)

jforr (15487) | more than 2 years ago | (#40914591)

"Among the largest breaches reported was TRICARE Management Activity, the Department of Defense's health care program, which reported 4.9 million records lost when backup tapes went missing."

Submitter should have dug a little bit further. TRICARE was the agency where the records originated, but SAIC was the "business associate" that actually lost the records belonging to TRICARE.

Re:Should have looked further (1)

BSDstef (263739) | more than 2 years ago | (#40916383)

Deciding to outsource data processing doesn't make you any less responsible for the data.

Re:Should have looked further (1)

Thorodin (1999352) | more than 2 years ago | (#40916533)

True but how far do you go or what do you do to guarantee that the out-sourced company is fully compliant with HIPAA security and privacy regulations? Look at this scenario (btw, I work in IT in a hospital): Upload patient data via VPN (fully encrypted, AES, etc.) to a data mining company for patient safety study. The company shown they've been audited by security auditors and passed. However, they don't mention they're upgrading their systems and something gets missed during the upgrade and BAM! patient data revealed. I think in that scenario, the provider, having shown due diligence, may get by without a fine but if the records revealed amount to =>500 patients, they'll still get listed on the wall of shame.

Re:Should have looked further (1)

Fnord666 (889225) | more than 2 years ago | (#40919119)

True but how far do you go or what do you do to guarantee that the out-sourced company is fully compliant with HIPAA security and privacy regulations? Look at this scenario (btw, I work in IT in a hospital): Upload patient data via VPN (fully encrypted, AES, etc.) to a data mining company for patient safety study. The company shown they've been audited by security auditors and passed. However, they don't mention they're upgrading their systems and something gets missed during the upgrade and BAM! patient data revealed. I think in that scenario, the provider, having shown due diligence, may get by without a fine but if the records revealed amount to =>500 patients, they'll still get listed on the wall of shame.

If you are outsourcing your data for studies, then all personally identifying information should be scrubbed or anonymized.

I beat the system (4, Funny)

slashmydots (2189826) | more than 2 years ago | (#40914635)

I beat the system by having no significant medical records in the last 10 years :P One finger X-ray (no break, yay) and like 2 appointments for allergies. Good luck blackmailing me with that, lol. I just stay exceptionally healthy. Take that, hackers! lol.

Re:I beat the system (5, Funny)

TheRealMindChild (743925) | more than 2 years ago | (#40914729)

I go the other route. I have so much debt in medical bills that only a fool would try to steal my identity

Re:I beat the system (1)

eyenot (102141) | more than 2 years ago | (#40917129)

One-up on both of you, I somehow managed to do both simultaneously. Exceptionally healthy but for one stint that nobody would want to pick up the tab on.

But server was hacked.... (5, Insightful)

stanlyb (1839382) | more than 2 years ago | (#40914739)

If you read the article, you will see that the main problem is of proper handling of the backups, not the actual server application or database, or with other words, here the problem is the "meatware", not the "software"

Putting health records on the web is a good thing (2)

spasm (79260) | more than 2 years ago | (#40914757)

I think this is all kind of backwards. Since moving to the US a decade or so ago from a country with universal healthcare* the biggest problem I've had is with getting my health records passed from one provider to the next when I change jobs / locations / insurers. I'd love it if someone hacked all my health records and put them on the web for everyone (including myself), since that'd actually mean my various providers could see what the last person produced. I really don't give a shit if my next door neighbor knows I have elevated cholesterol and am on anti-anxiety meds. Shit, if they knew that I was so stressed I was having panic attacks, maybe they'd stop firing up their fucking leaf blower at 8am sharp out of concern for my wellbeing. But I digress.

The reason Americans are so paranoid about 'other people' seeing their healthcare records is some of the 'other people' are for-profit health insurers and before 2010 (when key provisions of the Patient Protection and Affordable Care Act aka 'Obamacare' came into force) they could and did deny coverage to people with pre-existing conditions. It's not surprising that there's a bit of a social lag here - three generations of Americans have had to be scared about whether their for-profit healthcare provider could find a way to weasel out of actually paying for necessary healthcare, and it's going to take a while for people to realize they don't have to give a shit any more.

* Good luck guessing which country I moved from - every other first world country on earth has universal healthcare, as do many of those who can't easily claim 'first world' status.

Re:Putting health records on the web is a good thi (3, Informative)

Z34107 (925136) | more than 2 years ago | (#40914937)

Nobody has to "hack" your medical record. HIPAA guarantees you a copy, so go ask for it.

If, instead, your beef is that the doctors treating you don't talk to each other, find some that do. Electronic health records make this trivially possible, and there are lots of Keysers out there practicing managed care [wikipedia.org] .

Finally, do you really think that "for-profit insurers" are the only reason Americans expect their medical records to be confidential? I understand that you have Nothing To Hide, but "too much patient privacy" is the last thing wrong with healthcare in America.

Re:Putting health records on the web is a good thi (0)

Anonymous Coward | more than 2 years ago | (#40916497)

Great point. I have had to get my records a few times and the charged a dollar a page. A few spine surgeries and the fact I had to go for all the after care ment my record was over $600. I was livid. I called my attorney and asked the to request my records so they could pay for it. $65 !!!!!! This is just one of many reasons why I am mad at the healthcare field. Oh and the makers of the hardware in my spine.....the paid off doctors to hide results and claim there were no issues. I will let you know how group tort comes out.

Re:Putting health records on the web is a good thi (0)

eyenot (102141) | more than 2 years ago | (#40917083)

* Trully, brah, 2nd/3rd-world gauranteed health coverage is way, way way, WAY better than this total shit-hole butt-rape in the face scab nightmare we call "America"! Fuck yeah, you should move the fuck out. Do yourself one better. Before your neighbors break into your home and replace your anxiety meds with sugar pills. Fucking Americans!!! *sob* I just wish I had all the gauranteed health care coverage available in so many 2nd/3rd world countries.

Public Records? (0)

Anonymous Coward | more than 2 years ago | (#40914815)

Why aren't these public records anyway? After all in today's America what isn't? Shouldn't everything be transparent?

appropriate measures (2, Insightful)

kermidge (2221646) | more than 2 years ago | (#40914839)

To hell with fines. Felony-grade jail time in no less than medium-security, from top people on down, with the parole condition that upon release they never work with customer information or data again.

Re:appropriate measures (0)

Anonymous Coward | more than 2 years ago | (#40916443)

Would you work under those conditions?

Re:appropriate measures (1)

Thorodin (1999352) | more than 2 years ago | (#40916561)

Spoken by someone with nary a clue as to the complexity involved and the unintended consequences of such an idea, if put in place. You'd see a boatload of IT people leave. I know I would. But just imagine what affect that would have on the delivery of healthcare. Think how tight security would get.

Re:appropriate measures (2)

kermidge (2221646) | more than 2 years ago | (#40916843)

@AC - probably not, but I've worked under various fiduciary and performance bonds where the consequences for screwing up carried the risk of jail time.

Thorodin - ah, good, some discussion. I don't see that fines work: cost is passed to clients' insurance; the highers and stockholders are not affected in any meaningful way. Notice I said top down - not the bods and sods in IT (unless they'd been screwing the pooch.)

How many stories and posts have we seen just in the last year or so where upper management assigns the vague task "make it secure" and then hamstrings everything/everyone trying to do that?

No, I have but few clues as to just how complex the matter is. What does seem clear, though, is that "business as usual" is not working too well. Have you any ideas on what might could be done to make things better?

Re:appropriate measures (0)

Anonymous Coward | more than 2 years ago | (#40918063)

"Have you any ideas on what might could be done to make things better?"

Of course not. This is slashdot. We only find problems and complain here.

The Cloud! (1)

yumetoinori (2506622) | more than 2 years ago | (#40915143)

The Cloud will fix this! See, if everything is in the cloud then everyone's records can be accessed without authorization at the same time, thus negating the need for the Wall of Shame! Or at least just have one name on the Wall. But then that's not much of a wall. Snippet of Shame? One-liner of Shame?

Re:The Cloud! (1)

eyenot (102141) | more than 2 years ago | (#40917057)

The great thing about The Cloud is it allows you to tailor the data experience to the networking needs of all clients and all terminals. So whoever visits the Wall will just see their own name.

happened yesterday (0)

Anonymous Coward | more than 2 years ago | (#40915155)

Someone at my work wife works at a dentists office, they got all new computers (about 5 and 2 laptops) , they didn't know what to do with the old ones, so someone brought them into work and gave them away to whoever wanted them. I asked if they had been whiped, he said I guess so. I plugged one in, booted a windows password reset cd, logged in and the computer was full of emails, word doccuments, pictures of paintents and the dental work they had done and a full quickbooks business file. The major personal info was stored on their server atleast and not accessable. I quickly told them not to give anyway any of them until I whiped the drives on the rst of the boxes.

Re:happened yesterday (2)

eyenot (102141) | more than 2 years ago | (#40917043)

And what does your play-wife have to say about all of that? Is she concerned for her medical privacy in general, or just when you're around? Also, who was this other person at your work-wife? HOW was this other person "at" your work-wife? Answers. I demand answers.

Obviously... (0)

Anonymous Coward | more than 2 years ago | (#40915529)

...the solution is implantable RFID chips because they're so secure.

Sold Out By HIPPA (2)

anorlunda (311253) | more than 2 years ago | (#40917587)

Before passage, the HIPPA bill was much debated. Privacy advocates wanted two big things, (a) opt-in rather than opt-out and (b) the right for patients to refuse permission for their health into to be used in ways they don't want while still receiving treatment. They privacy advocates lost.

The result is that now, when you visit the doctor you get a multi-page privacy disclosure. You are allowed to request changes in how your health info is treated. However, the provider has the right to refuse treatment if you request even the slightest deviation. That means that providers can write their software presuming that 100% of patients consent to the most invasive and insecure privacy practices.

It should be the right of every patient to forgo the advantages of digitally stored health records and to opt-out without being sent packing without treatment. One should even have the right to seek treatment anonymously and pay cash. Even that is forbidden by state and federal laws regarding record keeping by providers.

I'm afraid that the only way out for US citizens determined to protect their privacy is itself a felony. I speak of identity theft -- fraudulently using someone else's identity to get health care.

HIPPA was supposed to protect patient privacy. Instead, it merely adds to the mindless and wasteful bureaucracy of health care while institutionalizing privacy invasive practices, giving legal cover to abusers, and criminalizing individual tactics to protect themselves. In addition, HIPPA preempted many state laws that provided better privacy protections than HIPPA.

How do I know if I was affected? (0)

Anonymous Coward | more than 2 years ago | (#40918253)

I live in California and over the past 10 years have had two different insurance providers for medical services (company X got bought by company Y, and they both offered insurance through different companies). I reviewed the linked article and found the following:

Delta Dental CA 11,646 12/22/2011 - 12/23/2011 Unauthorized Access/Disclosure Paper 2/3/2012
Sutter Medical Foundation CA 943,434 10/15/2011 Theft Desktop Computer 12/8/2011

Both of these are insurance companies I had (and for one, still have!) coverage through, during the time of the theft/breaches. So in this situation, do I just bend over and take it? (Pun intended, depending on what your symptoms are ;-) ) I guess what I'm trying to find out is whether or not I was one of the people whose information was disclosed, and if so, what I can do about it or if I'm entitled to anything.

Can someone shed some light on that topic? Nothing in the linked article explains this aspect of it, other than stating that HITECH is the reason for the public disclosure of the breaches, but not what the effects of those breaches are.

Not surprised in the least by this (0)

Anonymous Coward | more than 2 years ago | (#40919627)

About 5 years ago I was at a large Seattle medical facility where my wife was having a minor procedure. While in the waiting room I opened my laptop and found that the clinic's WiFi was open and unencrypted. I asked to see the office manager, showed her my MSFT badge (no longer there, BTW) and explained that anyone with a packet sniffer could capture patient data at will. Their reaction? Fear, as if I was somehow threatening them. No thanks, no request to suggest what to do about it. Pretty sure nothing was done ... maybe it was the Microsoft badge that frightened them :). You can bet your bottom dollar that small clinics across the country have similar issues today.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?