back to article Medical data experiment goes horribly wrong: 950,000 records lost

American health insurer Centene Corp says it has lost 950,000 sensitive customer records stored on six hard drives. The drives hold customers' name and address, date of birth, Social Security numbers, and health information. Centene Corp boss Michael Neidorff says the company does not know if the information has been …

  1. Jack of Shadows Silver badge

    Ya'll left out one biggie

    Remember when a Veterans Administration programmer got his laptop which had the health and PII for every veteran?

    1. Guus Leeuw
      Headmaster

      Re: Ya'll left out one biggie

      Dear Sir,

      "You will left out one biggie"?

      Regards,

      Guus

      1. bob, mon!
        Headmaster

        Re: Ya'll left out one biggie

        No, not "you will". Best understood as "You all", not to be confused with "you-uns" ("you ones") or "youse" (ummm.... New Jersey).

        1. Anonymous Coward
          Anonymous Coward

          Re: Ya'll left out one biggie

          Read the start of the post's title again, concentrating on that contraction at the beginning. Look at it very carefully. Do you now understand the humor in Guus' post?

          Hint: Guus' post, not Guu's post.

    2. el_oscuro
      FAIL

      Re: Ya'll left out one biggie

      My first big pwnage I think. Now with my SF-86 in a Chinese database thanks to the OPM and my blood work last week who knows where, thanks to labcorp running XP. I guess everyone who cares knows everything about me.

  2. DougS Silver badge

    It sounds like they were not found during an audit

    So probably just misplaced in someone's desk drawer, but if they are portable drives one would hope they'd use encryption. If they were, I'm sure they would have said so, so one can conclude they were not.

    1. Smooth Newt Silver badge

      Re: It sounds like they were not found during an audit

      Even misplaced in someone's desk drawer would be incompatible with "Centene takes the privacy and security of our members' information seriously".

      In a properly run system they would only be stored in a designated secure place, not some random desk drawer.

      1. Captain Scarlet Silver badge

        Re: It sounds like they were not found during an audit

        Having tried the "designated secure place" method before I know it will always fail.

        I would prefer the ban of all external storage devices but ultimately everyone wants them (Even though they will likely have a laptop, they have vpn, its just laziness.) and expects computers to encrypt everything for them.

      2. DougS Silver badge

        Re: It sounds like they were not found during an audit

        I wasn't suggesting leaving drives in desk drawers was a smart practice, but misplacing it in their own offices versus knowing it was lost outside their offices, and that's different than knowing it was stolen.

        Knowing it was misplaced inside their offices = lack of care common to 98% of enterprises and 99.9% of governments, it very likely won't result in data compromise (only if it was stolen by an insider)

        Knowing it was lost outside their offices = concern over why it was outside their offices but at least if someone finds it they probably won't realize what they have so data is unlikely to be compromised

        Knowing it was stolen = red alert concern since someone clearly knew what they were taking and your data WILL be compromised the only question is how badly you'll be screwed

  3. Anonymous Coward
    Anonymous Coward

    Platitudes that are pointless and annoying....

    "We take your security very seriously"..... maybe, maybe not, but telling me that when you announce how you've failed is not reassuring in any way. Just leave it out of security announcements.

    Not from this story, but ...

    "There will be lessons learned" ... again, maybe, maybe not, but i don't care about the future, i care about now and why you f*cked up today!

    1. Doctor Syntax Silver badge

      Re: Platitudes that are pointless and annoying....

      Why do the media let them get away with this. The obvious rejoinders are:

      Prove it

      Who do you think is stupid enough to believe that?

      How much data would you have lost if you weren't taking it seriously?

      Has anybody in the media tried any of these?

      1. Captain DaFt

        Re: Platitudes that are pointless and annoying....

        "How much data would you have lost if you weren't taking it seriously?"

        This. Should be the first question asked, not only by the press, but by law enforcement investigating the loss, and every client whose data was lost, loudly and publicly!

        Because you know nothing's going to change security-wise otherwise.

    2. MyffyW Silver badge

      Re: Platitudes that are pointless and annoying....

      I just love the weasel words "out of abundance of caution and in transparency"

      ...as the horse lollops off across the field there is the sound of a stable door being gently shut, but probably not locked.

  4. CAPS LOCK Silver badge

    The health care industry...

    ... again.

  5. Captain Badmouth
    FAIL

    The health "without due care" industry, shirley?

  6. imanidiot Silver badge

    The problem with the health care industry

    The problem is that they are primarly and pretty much ONLY focused on health care. Thats a pretty good thing, but it does mean the focus on other important aspects is lost. And even when they bring in outside experts, things like data security will take a back seat to improving the health care.

    1. frank ly Silver badge

      Re: The problem with the health care industry

      "... take a back seat to improving the health care."

      I think you mean, "take a back seat to increasing the profits."

      See this:

      http://www.theregister.co.uk/2016/01/26/hackers_can_take_full_control_of_car_os/

      It mentions how Fiat Chrysler 'saw the light' regarding vehicle systems security.

    2. Terry 6 Silver badge

      Re: The problem with the health care industry

      No. The people focussing on health care are still working within a system. And one that has to be got right in the planning stage. It's too late to think about these things during implementation.

      If data security wasn't planned in this is either due to incompetence or cost cutting. Or both.

      So all the glib gibberish about taking this that and the other seriously is pure PR company arse-covering bullshit.

      1. Anonymous Coward
        Anonymous Coward

        Re: The problem with the health care industry

        Healthcare came long before IT, and was never very computerized until the big EMR and insurance-for-all push of the last decade or so. Take away the profiteering and you still have a computer-illiterate culture.

        I would also point the finger at governments, for A) monopolizing funding, B) collecting everyone's personal data, and C) the war on encryption (together with their toadies Oracle, Microsoft, et al). This wouldn't happen if OS vendors made it easy for terrorists, criminals, and doctors to encrypt stuff.

  7. thomas k

    I'm sure the data's encrypted

    Right? Right?

    1. allthecoolshortnamesweretaken Silver badge

      Re: I'm sure the data's encrypted

      Well, technically - yes. Pity it's a format every other computer can read.

  8. hi_robb

    Hmm

    reading this article makes me sick...

  9. Flywheel Silver badge
    FAIL

    "While we don't believe this information has been used inappropriately"

    The sheer B*LLS of this statement?!

  10. Dan Paul

    There is no penalty so they just dont care...

    If there are no consequences to this crime, it will just continue unabated.

    IMHO, my personal data with SSN is worth $100,000 dollars to me. It is MY data and I get to say what it's value is.

    If you have it, better keep it safe. Let's see, 950,000 stolen identities at $100,000 apiece....that might make a beancounter fund the security of their system.

    1. sysconfig

      Re: There is no penalty so they just dont care...

      Doesn't really work like that though. Bean counters only care about the here and now. Tomorrow only matters, if you can show them how you are going to save costs then.

      Costs related to possible security breaches is something they refuse to hear, because it's - in their minds - hypothetical. "Won't happen to us," is still a very common mind set, not only among bean counters. Costs related to improving security therefore are just that... costs.

      The *only* way to change this attitude is to impose hefty fines or criminal proceedings against individuals (somewhere at or close to C-level, or comparable position in the public sector).

      As seen here with Talk Talk and other companies, the prospect of losing money is a minor concern. Shares take a short dip (only if a lot of publicity is involved), then recover and it's back to business as usual. In the public sector there are no shareholders. Somebody *might* be in charge, but nobody seems to be accountable.

      With that attitude nothing is ever going to change, no matter what kind of figures you come up with.

    2. Anonymous Coward
      Anonymous Coward

      Re: There is no penalty so they just dont care...

      Prison is the only thing that will fix this - and it needs to be boardroom level, not some lowly developer or architect.

      As many others have said, companies are banking on the fact that there is ZERO financial or personal cost to them for losing this info. If there's a real chance that the CEO or CFO will go to prison for six months for every data breach this problem will disappear completely. They can let out a few of the kids imprisoned for possession of two joints to make room for the suits.

      I am so tired of replacing my credit card three times a year. Getting useless "credit monitoring" notices, etc. etc. I can't change my name, date of birth, place of birth, social security / NI number, etc. and all these fuckwits have required this information, used it as primary keys, and then lost it.

      Something needs to change and change very soon.

  11. wikkity

    The company says financial information is not included in the lost database.

    Oh, that's ok then. Why do companies think this is the most important thing to state. A lot of people would be covered for fraud done with data like this and the company would be expected be made to cover any costs involved.

    However, personal and health info once released there is no way to undo

    1. Anonymous Coward
      Anonymous Coward

      Re: The company says financial information is not included in the lost database.

      Right - I can change my bank account number, close my credit card.

      I can't change my name, date of birth, social security or NI number, place of birth, mother's maiden name, etc etc. That data is, in fact, far more valuable

  12. Keven E

    The path into the fan

    "Prison is the only thing that will fix this - and it needs to be boardroom level, not some lowly developer or architect."

    "Criminally negligent data loss"... or "Depraved indifference identity theft"... make them felonies, which once on one's record won't even allow for more than a minimum wage gig. Also the parole time should be spent like a convicted black hatter's... only limited/supervised internet access (if any).

    The hired assassin goes to jail as does the person ordering the hit.

    It really should be the equivalent of an "assault" charge.

    1. cd

      Re: The path into the fan

      Not bad, but I really think this calls for a death penalty. Then it will be taken "seriously".

  13. John Smith 19 Gold badge
    Unhappy

    *Still* not using encrypted drives?

    In 2016.

    Unimpressed.

    But as others have noted this won't really change till senior people start going to jail.

  14. David Pollard

    NHS Care Data?

    If anyone reading is involved with the NHS medical records systems, can you please use this leak as yet another example and try to point out to those in charge that the creation of a large central database which holds personal data isn't a terribly good idea

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019