Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday November 11 2018, @07:28AM   Printer-friendly
from the another-day-another-breach dept.

Submitted via IRC for Bytram

Hackers stole income, immigration and tax data in Healthcare.gov breach, government confirms

Hackers siphoned off thousands of Healthcare.gov applications by breaking into the accounts of brokers and agents tasked with helping customers sign up for healthcare plans.

The Centers for Medicare and Medicaid Services (CMS) said in a post buried on its website that the hackers obtained “inappropriate access” to a number of broker and agent accounts, which “engaged in excessive searching” of the government’s healthcare marketplace systems.

CMS didn’t say how the attackers gained access to the accounts, but said it shut off the affected accounts “immediately.”

In a letter sent to affected customers this week (and buried on the Healthcare.gov website), CMS disclosed that sensitive personal data — including partial Social Security numbers, immigration status and some tax information — may have been taken.

According to the letter, the data included:

  • Name, date of birth, address, sex, and the last four digits of the Social Security number (SSN), if SSN was provided on the application;
  • Other information provided on the application, including expected income, tax filing status, family relationships, whether the applicant is a citizen or an immigrant, immigration document types and numbers, employer name, whether the applicant was pregnant, and whether the applicant already had health insurance;
  • Information provided by other federal agencies and data sources to confirm the information provided on the application, and whether the Marketplace asked the applicant for documents or explanations;
  • The results of the application, including whether the applicant was eligible to enroll in a qualified health plan (QHP), and if eligible, the tax credit amount; and
  • If the applicant enrolled, the name of the insurance plan, the premium, and dates of coverage.

But the government said that no bank account information — including credit card numbers, or diagnostic and treatment information — was taken.

Adding insult to injury


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Bot on Sunday November 11 2018, @07:57AM (6 children)

    by Bot (3902) Subscriber Badge on Sunday November 11 2018, @07:57AM (#760604) Journal

    who handles these stolen goods? what is that info worth for an hacker, without an infrastructure?

    Anyway, GDPR or no GDPR, whoever asks for more data than is strictly necessary to perform the advertised duty should be fined regardless of the EVENTUAL breach.
    It's like IRL if i went around carrying a baseball bat. Since it takes effort, I cannot be claiming it just hangs around me for no purpose at all.

    I see no technical reason for healthcare data to not be COMPLETELY anonymised, even the birth date altered as age goes on (when you are 50 it does not really matter if you were born in june or august no?. You pick a necklace from a box of necklaces, it has a valid code that gets read at hospitals and doctors', the end. It would make handling of said data quite easy. Heck, add fake accounts in the DB and basically nobody gets anything out of it, not even aggregate stats. Only those who distributed the codes know which are valid for stat purposes.

    --
    Account abandoned.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Sunday November 11 2018, @10:13AM

    by Anonymous Coward on Sunday November 11 2018, @10:13AM (#760612)

    It's like IRL if i went around carrying a baseball bat. Since it takes effort, I cannot be claiming it just hangs around me for no purpose at all.

    The problem is too small number of people carry a baseball bat; if more were, maybe opportunities for ad-hoc games would be more frequent.

    Sorta same with guns, some Americans carry one with no purpose at all. If more were to carry a gun, , ...

    (grin)

  • (Score: 0) by Anonymous Coward on Sunday November 11 2018, @11:24AM (3 children)

    by Anonymous Coward on Sunday November 11 2018, @11:24AM (#760621)

    whoever asks for more data than is strictly necessary to perform the advertised duty should be fined regardless of the EVENTUAL breach.
    [snip]
    I see no technical reason for healthcare data to not be COMPLETELY anonymised, even the birth date altered as age goes on (when you are 50 it does not really matter if you were born in june or august no?

    If you are aware of how identity verification works (to prevent fraud in Medicare, Mediade and health insurance) you'd know that things like birthday are used to distinguish between individuals with the same name. Also, some insurance companies bump you up to your next birthday if you are within a few months.

    SSN is used for income verification for individuals applying for subsidies. Encrypting SSNs, DOB, etc should be standard and the data probably is stored in an encrypted fashion. Access to the data was gained by hacking accounts with access to the "behind the scenes" system used by insurers (the public facing website, and its underlying system, was not hacked). If the system insurers use decrypts the data before displaying it (and is has to or the data is useless) then any safeguards put in place for the data at rest are thwarted.

    These hacked accounts may have been due to weak passwords (a system design flaw), social engineering (poor procedures used by support staff assisting accounts that were locked out), or maybe a session/security weakness in the system itself (another system design flaw). The important thing to keep in mind is that multiple accounts were hacked, which means more can be hacked unless changes are made to the system and/or procedures (if the hacks included social engineering).

    • (Score: 0) by Anonymous Coward on Sunday November 11 2018, @04:50PM (2 children)

      by Anonymous Coward on Sunday November 11 2018, @04:50PM (#760658)

      i had to lock my credit b/c people were opening accounts in my name all over the country. i don't really give a shit about my credit, but i don't need the collectors calling and there's the principle of the matter. anywho, the companies who allow the data to be stolen and the companies who give credit in my name to ID thieves(for lack of a better term) should be held criminally/physically responsible. why these dumb asses think they can harass me about it is beyond me. i plan to make them all pay for their transgressions when i get the resources gathered up. vengeance is nigh!

      • (Score: 0) by Anonymous Coward on Sunday November 11 2018, @06:47PM

        by Anonymous Coward on Sunday November 11 2018, @06:47PM (#760676)

        It's more convenient to dump the problems on you, a peon, than to annoy the good friends of congressmen.

      • (Score: 3, Touché) by c0lo on Sunday November 11 2018, @10:59PM

        by c0lo (156) Subscriber Badge on Sunday November 11 2018, @10:59PM (#760731) Journal

        i had to lock my credit b/c people were opening accounts in my name all over the country.

        Have you considered changing your name to something different than Anonymous Coward?

        (grin)

        --
        https://www.youtube.com/watch?v=aoFiw2jMy-0
  • (Score: 1) by DeVilla on Tuesday November 13 2018, @03:11AM

    by DeVilla (5354) on Tuesday November 13 2018, @03:11AM (#761139)

    It's like IRL if i went around carrying a baseball bat. Since it takes effort, I cannot be claiming it just hangs around me for no purpose at all.

    Bad analogy. It's closer to having a baseball bat buried in the cellar with the holiday decorations, the piles boxes of financial documents you keep for 5(?) years because the IRS recommends it, dirty laundry waiting to go in the wash, the clean laundry waiting to be folded, old yearbooks & school records in case you are ever nominated for the supreme court, the seasonal kids toys then you need to eventually comb through to get rid of the ones that aren't used any more, replacement furnace filters, power tools, bags of softener salt, etc. You're pretty sure that bat you don't need is with the toys.

    It's closer to the IRS records you should discard from years ago. The ones at the bottom of some pile that got buried under the more recent toys & the Christmas ornaments or the ones currently serving as a make-shift saw horse.