back to article WHOOPSIE! Vast US health insurer CareFirst plundered of 1.1 MEELLION records

More than 1.1 million user records have been compromised following a hack against US health insurer CareFirst BlueCross BlueShield. Data including members’ names, birth dates, email addresses and subscriber identification numbers may have been stolen by hackers as a result of a security breach last July. The hack was only …

  1. Alister

    Sadly whilst ever there is data held in databases, someone will find a way to steal it.

    I'm pleasantly surprised by how CareFirst have handled this, they appear to have been up-front and honest with their customers.

    Contrast this with how so many other big companies in recent memory have behaved after a data breach.

    I have no axe to grind here, just thought it worthy of comment.

  2. Merodach
    FAIL

    Once again.......

    A company takes the low road, and instead of securing the data properly merely offers credit monitoring.

    Here's an idea to end this :

    1] Require, by law, not just monitoring but the full cost of credit repair and restoration be borne, primarily by the executives of the breached company.

    2] Fine the company 10x that cost, with all money to be directly distributed (NO LAWYERS!) to the victims of the breach.

    1. Charles 9
      FAIL

      Re: Once again.......

      And the only agent with the capability to do that would be a benevolent autocrat. As for the executives, they'll probably hide their assets and go to ground before complying. As for direct distribution, that's too much of a gray area. After all, some damage will be worse than others and some may be impossible to conclusively determine due to murky knock-on effects.

    2. Robert Helpmann??
      Childcatcher

      Re: Once again.......

      Here's an idea to end this : 1] Require, by law...

      Here's an example of an unintended consequence: companies now have an incentive to put their competition out of business by hiring third parties to commit online attacks against them. For any such law to be worthwhile, it should target those companies that are guilty of neglect. If a company is hacked despite every reasonable attempt to secure data in its possession, it should not be penalized.

      Having passed a law with this proviso, we would then have a situation in which either non-technical politicians, judges or jury members will have to decide things like what constitutes best practices for data security. While this is not the best of all worlds, it still might nudge things in a desirable direction from the point of view of consumers victims.

  3. Anonymous Coward
    Anonymous Coward

    ...and there will be

    ...little or no punishment for the negligent health insurer.

  4. Erik4872

    Here we go again

    These security problems are becoming so routine. Unfortunately, like all the other ones, nothing is going to change. Insurance companies will pay out the damages, and everything will go back to the way it was. This happens all the time with retailers -- "oops, sorry, here's a credit monitoring service. Now, let's get back to outsourcing our IT department to the lowest bidder."

    I'm guessing that one of the problems here might be outsourced IT. Not that in-house IT would have been guaranteed to catch problems, but I've worked on both sides (outsourcer and outsourcee). The second you do this, a huge wall goes up blocking new changes. Everything either side wants to do turns into a mess of cajoling the other side to agree, scheduling changes, paying for changes, etc. etc... This comes to a point where on-site staff stop caring and just let things go because it's too much work to manage.

    1. silent_count

      Re: Here we go again

      "oops, sorry, here's a credit monitoring service. Now, let's get back to outsourcing our IT department to the lowest bidder."

      And there I think you've hit at the root of the problem - it's cheaper and easier to say "oopsies" and give out pennies worth of credit monitoring than to pay the cost to secure the customer data.

      Unless there's a big enough stick - either through legislation or litigation - this will continue to be the standard practice.

      1. Charles 9

        Re: Here we go again

        And how are you going to make a penalty big enough to make big medical companies actually pay attention without the risk of collateral damage? And since the medical profession is about saving lives, that collateral damage can turn deadly.

        The way I see it, it's a no-win position. If it's not strong enough, they'll just pay the penalty and carry on. If it IS, then the moment that penalty is applied, things are going to get ugly.

        1. Destroy All Monsters Silver badge
          Holmes

          Re: Here we go again

          And how are you going to make a penalty big enough to make big medical companies actually pay attention without the risk of collateral damage? And since the medical profession is about saving lives, that collateral damage can turn deadly.

          The US market in healthcare is totally dysfunctional anyway and caught in the vice of crazy-arse regulation, and stalking no-win no-fee lawyers while nepostistic payouts and subsidies are guaranteed to connected players via RetardoCare all the while "progressives" are baying for "cheap healthcare" at "no cost". A bit of collateral damage might be exactly what the doctor ordered to properly euthanize the whole festering heap.

        2. dan1980

          Re: Here we go again

          @Charles 9

          The way you work it - indeed the only way you can work it - is that you specify how certain types of customer data must be kept and secured and audited.

          You can't necessarily say things like "credit card details must be encrypted with XYZ encryption" but you can say that they must be stored in an encrypted format.

          You can also dictate what types of data must be stored separately - like financial details - and specify that access must be controlled so that only those that really need to see that data can. It is not unknown for legislation to have examples listed so one could put in one that said that staff assessing health claims should not be able to view a customers social security number or bank account details, and the billing department should not be able to see claims details beyond that which is necessary to calculate excess charges.

          The idea is that you really can't 100% prevent breaches from happening so you must look at limiting the damage that can be done if - and indeed when - they occur.

          There are already regulations around data discovery that affects how companies store and process data so this would really not be that much different.

          1. Charles 9

            Re: Here we go again

            "The way you work it - indeed the only way you can work it - is that you specify how certain types of customer data must be kept and secured and audited."

            And I think the problem lies in that, while it's all well and good to demand this and that, what happens when "this and that" interferes with your operations, sometimes to the extent that your future as a going concern is in jeopardy? Data demands can change, often overlap, and can have deadlines. This is especially true in the medical profession where you are simultaneously pulled by time, money, and regulatory demands with lives on the line. Trying to impose conditions on something as complicated as, say, a major hospital, tends to result in entanglement.

            Going back to your examples, a health claim person WOULD need access to the social security number if the insurance being claimed is GOVERNMENT-RUN (Medicare, Tricare, etc.) and WOULD need access to financial records if a claim of DESTITUTION is being filed (they're claiming they can't pay the bill). As for the billing department, they WOULD need to see many claims details because the insurance companies can impose charge limits and write-off requirements as a condition of the claim, and these minutiae all affect the final bill sent to the patient/family. Then there's the legal department, who would probably need access to nigh everything in order to make sure everything's on the level and ESPECIALLY if a malpractice suit is filed against them.

        3. This post has been deleted by its author

          1. Anonymous Coward
            Anonymous Coward

            Re: Here we go again

            "Easy: make it prison time for the non-medical executives."

            And if ALL the executives are medical?

  5. phil dude
    Facepalm

    does any pay for credit monitoring?

    I think I have been offer "we are incompetent" credit monitoring several times the last few years. Perhaps they could offer a token so when you have enough, you are covered for life....

    Alternatively, we could make the liability on customer data breaches perhaps a %age of gross....fair?

    P.

  6. x 7

    so far these hacks have only taken identity data from the insurers........wait until the Chinese hackers (so far they have all been Chinese) hack the clinical data systems, which are now nearly all hosted / cloud systems. Once thats cracked the medical history of huge swathes of population is at risk

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like