HealthCare.gov System Hack Is Much Worse Than Initially Thought

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
22,062
It seems that the HealthCare.gov hack that we reported on earlier this month is more concerning that initially thought. A letter is being mailed out to citizens who have been affected by the hack.

Name, date of birth, address, sex, and the last four digits of the Social Security number (SSN), if SSN was provided on the application. Other information provided on the application, including expected income, tax filing status, family relationships, whether the applicant is a citizen or an immigrant, immigration document types and numbers, employer name, whether the applicant was pregnant, and whether the applicant already had health insurance. Information provided by other federal agencies and data sources to confirm the information provided on the application, and whether the Marketplace asked the applicant for documents or explanations. The results of the application, including whether the applicant was eligible to enroll in a qualified health plan (QHP), and if eligible, the tax credit amount. And if the applicant enrolled, the name of the insurance plan, the premium, and dates of coverage. The information that was accessible did not include bank account numbers, credit card numbers, or diagnosis or treatment information.

We are offering your minor free identity theft protection services through ID Experts, the data breach and recovery services expert, to provide you with MyIDCare. MyIDCare services include: 12 months of identity monitoring, a $5,000,000 insurance reimbursement policy, and fully managed identity theft recovery services. With this protection, MyIDCare will help your minor resolve issues if their identity is compromised.
 
sheesh

Why can't we strengthen ID requirements to prevent the theft? Seems like these hacks would lessen significantly if the data was useless.
 
"... With this protection, MyIDCare will help your minor resolve issues if their identity is compromised."

So a 'minor' is covered. What about adults? They're mature enough to take care of their own identity issues.
 
anybody else noticing the trend is definitely one of:
* oh damn, we were hacked
* ....6 months ago
* well, tell the public about PART of it, but not the whole thing
* wait for a few more sensational events, headlines, mid term elections, etc
* release a smaller article nobody cares about, because this is old news, stating that they werent just hacked, they were full on owned to the core, everybody's screwed, and the world is ending
* offer free credit monitoring for a year
 
Wait, isn't this the same website that took a couple of years and over 2 billion bucks to try and get working and they still have problems?
A college student could have designed the whole thing for a few thousand bucks and it would have been more secure, IMO.
 
The anti-government hooting is always popular, but I'm thinking the private businesses have been just as bad if not worse in many cases.

This isn't a function of government, it's an ever-moving target that many entities, private, public or governmental, are bad at handling. Politics aside for a moment, any of us who are even remotely connected to IT know for a fact that security is simply too much of an afterthought.
It isn't that it can't be done. It's that it costs money continuously to have decent security, which is why it's rarely done right.

The solution? Proper regulation. OHH GOVERNMENT AGAIN THEY CAN'T DO SHIT RIGHT. I argue that in the history of regulation, a lot was done right. And looking at how data leaks left and right from sources that handle sensitive, private data, yeah I think the only way to make a dent in it is to regulate. Make them bleed when an entity thinks they can't be bothered because it eats into their budget.

Wait, isn't this the same website that took a couple of years and over 2 billion bucks to try and get working and they still have problems?
A college student could have designed the whole thing for a few thousand bucks and it would have been more secure, IMO.
You're of course entitled to your opinion, but security is very difficult and a college student would make a large number of mistakes and it would leak like a faucet.
 
Why's there so much focus on the government healthcare aspect? Well, outside of their probably crappier standards in general... but really it's almost a race to the bottom at this point. These hacks happen to a lot of companies, so I think it's kind of silly to just zero in on that. The issue is that we don't really have enough good countermeasures in place, across the entire industry. Devs are just too lazy about information security because it takes time to build up properly, it's a pain in the butt, and it's time you spend "not working." They're not necessarily at fault. It's really probably the fault of managers and companies, and the culture in general. If you're not rolling out new features and working code, your company might consider that as "not working." So why focus on security when they need features yesterday? Why waste man hours when all you (the corporation or institute) are going to get is a slap on the wrist when you're hacked? And really even if you do put in countermeasures as best as you could, your butt is still going to be the one probably getting fired if some inventive hacker finds a loophole. Even if everything is hashed and it's mostly useless, you're probably on the line. We need to set up a proper culture of data security and make people actually freaking understand why their information is so valuable, and why information needs to be protected. Maybe then Facebook will be less popular, too.

Well at least that's how I think it probably is from the outside in. Thankfully I mostly work on an internal network that isn't internet facing at all, so I don't have to worry about this as much. To me it's probably just another symptom of corporate culture.
 
Who would have thought!? Surprise surprise! Hey everyone, we suck at security, here is all the information I have been harvesting forever and ever. Take my shit and have fun!
 
The anti-government hooting is always popular, but I'm thinking the private businesses have been just as bad if not worse in many cases.

This isn't a function of government, it's an ever-moving target that many entities, private, public or governmental, are bad at handling. Politics aside for a moment, any of us who are even remotely connected to IT know for a fact that security is simply too much of an afterthought.
It isn't that it can't be done. It's that it costs money continuously to have decent security, which is why it's rarely done right.

The difference is that it is much harder to hold the government to their civil liability than it is a private company in the wrong. And even when they're forced to pay, it's with our own fucking money! And of course, the whole choice thing. Any time my money goes to a private company, it's because of my choices. Except for healthcare. All because it was never going to get paid for if I didn't get fucked in the ass so a bunch of seniors would vote blue ticket.
 
The difference is that it is much harder to hold the government to their civil liability than it is a private company in the wrong. And even when they're forced to pay, it's with our own fucking money! And of course, the whole choice thing. Any time my money goes to a private company, it's because of my choices. Except for healthcare. All because it was never going to get paid for if I didn't get fucked in the ass so a bunch of seniors would vote blue ticket.

Equifax did not offer you a choice, did we hold them accountable? Can you name one single instance of a company being properly punished for a breach?
 
Equifax did not offer you a choice, did we hold them accountable? Can you name one single instance of a company being properly punished for a breach?
That doesn't make it okay that the government f'ed up too, it just means we have more than one entity to be angry at. And like he said, when a company like equifax does get punished (or even when they're not), it's not my tax dollars that are being taken to pay for it.
 
Wait? There was a hack? I did not even know about it. Good thing I do not use that site personally.
 
Socialism at its best again. You are forced to pay a fine if you don’t purchase their mandated product or you are hacked and have your full identity stolen if you do.
Nevermind the quadrupling of premiums due to this “affordable” act.

You can keep your doctor. :troll:
 
Socialism at its best again. You are forced to pay a fine if you don’t purchase their mandated product or you are hacked and have your full identity stolen if you do.
Nevermind the quadrupling of premiums due to this “affordable” act.

But now your neighbor or loved one can actually get things covered like the ongoing cancer treatment they have been needing but skipping out on because it costs to much and insurance called it a 'Previously existing condition'.

Yea my premiums went up. If all of the states actually participated it wouldn't have been as bad and could have gone down. But too many states/individuals wanted to protect their private pocket book then shell out an extra few bucks that everyone ended up getting screwed by it.

Thanks and come again!

BUT... I agree the data breach is a joke. it shouldn't have happened, and the organization found the be responsible should be held accountable. HIPPA data is supposed to be closely protected. So lets see something done about this.
 
Yeah HIPAA is the exception, and rightly so, because it has a pretty decent amount of power and legislation behind it. Non-HIPAA violations are treated as "whoopsies!".
You'll get no arguments from me on that one. I do wish it would change, but I think it's unlikely that we'll see useful legislation for non-HIPAA breaches in our lifetimes.
 
We are offering your minor free identity theft protection services through ID Experts, the data breach and recovery services expert, to provide you with MyIDCare. MyIDCare services include: 12 months of identity monitoring, a $5,000,000 insurance reimbursement policy, and fully managed identity theft recovery services. With this protection, MyIDCare will help your minor resolve issues if their identity is compromised.

This right here pisses me off the most. That data is valuable and used 5+ years after the incident. This 12 months of coverage is a joke and should be 12 years!

Thanks for the meaningless gesture to appease your customer base that was desperate for healthcare. Really appreciate that. Now... how about you actually provide meaningful protection for that private data that has leaked and cover it for more than the first 12 months. How about for the next 12 events or 12 years?
 
But now your neighbor or loved one can actually get things covered like the ongoing cancer treatment they have been needing but skipping out on because it costs to much and insurance called it a 'Previously existing condition'.

Yea my premiums went up. If all of the states actually participated it wouldn't have been as bad and could have gone down. But too many states/individuals wanted to protect their private pocket book then shell out an extra few bucks that everyone ended up getting screwed by it.

Thanks and come again!

BUT... I agree the data breach is a joke. it shouldn't have happened, and the organization found the be responsible should be held accountable. HIPPA data is supposed to be closely protected. So lets see something done about this.

If the states didn't participate, you got the higher premiums right away. Why? Because how the state participated determined access to the subsidy funds for the insurers. That subsidy fund was extended by executive order, but in the end it ran out of money. The only thing most participation would have done was make it run out earlier.

Putting more patients under care costs more money. Skilled labor at 100% capacity doesn't offer volume discounts.
 
Then an individual would be able to get the same insurance as a large corporation without any sort of group discount. The idea is we all pay in and a portion of our payments help subsidize the cost of medical events for others. As it stands states and counties were eating the cost via emergency rooms being used as the only medical care people were getting then not paying the bill.

Do some searching on unpaid medical bills and how that works out. It is a rather high number. Of course he hospitals and medical providers want to double dip those, get the state/county funding AND go after the people who didn't pay the bill that the state/county funding covered. But that is a different story.

Except large corporations get the rate they get via self-insurance. Which is not what you got buying individual plans. That being said, I'm in a state that din't participate and we got the full zorch prices up front. The top tier plans were about $1k more than my employers self insured plans and delivered slightly less. It was more or less the difference between $13.xK and $12.yK.

maxium participamts paying in would distribute the cost of those receiving services over the most people, but that doesn't do jack for the fact that health care is undergoing cost inflation at WAY over the rate of general inflation. Medicare and medicaid have the burden spread pretty far and their costs are rising too. In 1980, healthcare was 8.9% of GDP. In 2016 is was 17.9%.

We have an aging population, and in general for decades and decades, the last two years of life (combined) tend to cost more than all the previous years of care (combined).

Charity care, what you are referring to, are part of the total health care costs. They are in that number.

I will also point out that the ACA didn't really reduce the number of uninsured. It just changed that number from coming out of the lowest rungs of income level to those slightly up the ladder.

We need to do a lot of things, almost none of them addressed by the ACA.

1) Mint more doctors, nurses, etc. with a lower level of debt. In short, make doctoring a shittier paying job, but a viable shittier paying job.
2) Stop subsidizing the world's medicine prices.
3) Ration more care that is a shitty investment.
 
Back
Top