> That number isn't a projection. It isn't an estimate. It's the sum total of confirmed individuals affected across 735 breach reports filed with the HHS Office for Civil Rights - and it's growing every week.
The attack on Stryker used Microsoft InTune to remote-wipe all of Stryker's systems. If you can wipe a system, could you also drop code on it exfiltrate data and credentials?
Wait, the main takeaway from this article is that cybersecurity sales teams now have great leads?
Facepalm.
The real takeaway should be that at every level -- government, corporate, healthcare entities, personal -- we need to rethink how we're acting in the face of these disasters.
Government should recognize that its current regulations are insufficient and look for ways to refine them.
Corporations and health-care entities should be asking themselves, "Do I really need to store this data? If so, how do I store it securely, make my systems less vulnerable to attack, make my personnel more informed about phishing, store it for the minimum amount of time, etc."
And we as individuals should be asking ourselves whether so many health-care entities need to store so much data about us.
Let's not forget that cybersecurity companies may also be directly involved into hacking government institutions. Case in point - the Bulgarian TAD Group cybersec firm that allegedly hacked the National Revenue Agency in 2019.
> It is still unclear what prompted the hack. The prosecution claims that TAD Group tried to blackmail several companies to hire its services, inducing them with hacked information from their websites. However, no company has publicly complained yet. [0]
This wouldn’t have solved the largest one, Change Healthcare. They are an insurance claims exchange. They have to have all of this data.
The breach was social engineering of a customer support rep.
Having worked with them, they’re absolutely necessary for healthcare (in its current form; don’t get me started) to function. The alternative is integrating with hundreds of payers (won’t happen) or doing it by fax/mail (disaster).
I would say that if it is possible to exfiltrate 193 M sensitive records through a social engineering attack on one customer support rep, then there are multiple failure points that they and other businesses need to address:
- better security training for employees
- don't store 193 M sensitive records in such a way that one social-engineering attack gives you access to all of them
- don't store 193 M sensitive records without appropriate encryption, and make it hard to steal both the records and the decryption mechanism.
> Government should recognize that its current regulations are insufficient and look for ways to refine them.
The shear hostility by many people on here to data protection law (hello GDPR) suggests you are going to have a hard time getting such laws passed in the USA.
1. What a wildly capitalist take on the loss of confidentiality for personnel data.
2. If you get breached, you have a problem. If everyone gets breached it starts to look more like cost-of-business (and that might be cheaper than a cyber firm that doesn't actually fix the problem [but looks good on audits])
3. I wonder if the breached data is entering AI corpuses. Will I be able to ask OpenAI "Does Joe Bloggs, 75 Penn Ave NY have an underlying health conditions I should know about"
Yup I don’t see any huge downsides here for these companies, and not much incentive to change. The more it happens the more they can point to each other and say “see, it’s not just us”
I don't think I would favor executions or anything.
But forcible dilution (partial or total seizure) of the corporation? A mandatory insurance coverage? Absolutely.
We already have statutory HIPAA violation penalties, and I am extremely in favor of assessing them in a breach. The question is whether they are sufficient.
I think the most feasible solution is to make companies liable for damages, not in a light way but rather that every person can sue (or in a class action) for hefty amounts, so that a breach could cost e.g. 100mil+
that should incentivize them to actually invest some money in security. right now its just tiny numbers which are easier to just pay off and forget about
You'd have to deal with all of the binding arbitration agreements first.
That's it, class action lawsuits also are part of the cost of business. Nothing is ever going to change unless the boards of directors (not CEOs) can be held liable for the behavior of the companies that they direct.
OTOH, breaches especially Health Data breaches are the most over-rated, hysteria inducing breaches of all time. There is ZERO use for anyone for your health data
There is a field in a claims form that indicates what type of insurance it is.
One of these is CHAMPUS, which indicates that it is for a service member or their family. You can tell which.
As a basic case, accumulate these (as in the CHC breach of ~30% of Americans) and you have a nice map of where US military are. Since bases house particular units and types of forces, a nation state can estimate strength and investment in the US military.
In a specific case, the response to claims includes patient responsibility (deductible, co-insurance, co-pay.) Add that up for a financial picture, then you’ve got a nice lead list for service members who have money problems.
Can you imagine trying to fully trust a mental health professional today? A patient can't see a therapist's notes, but they sure as hell can be breached.
There is zero LEGITIMATE use for your breached health data.
Since tech community has been going on for years that it could cause a problem, I now don’t see any way out of this mess other than problems start arising since our politicians and leaders can’t be bothered to take the experts claims as legitimate ahead of time.
> I wonder if the breached data is entering AI corpuses.
One would like to think the creators of AI have been prudent enough to ensure AI output obeys data protection law; however the laissez-faire approach the USA takes to data protection (and the hostility of many Americans on here to the GDPR) suggests otherwise.
Wasn't Meta caught using pirate book databases for their training data? No decision maker of importance at any of these companies gives a whiff of a fart about data privacy beyond the bare minimum required by the letter of the law, and only when they think the expected cost of breaking the law would exceed the benefit.
Well at least the leaks and irresponsibility have hit the HIPAA level, maybe now some old people will take it seriously? Or will the fallout continue to be normalization of data leaks like the morons in the federal government did for credit reporting agencies?
In my view that stance is becoming bipartisan as tech companies lobby nonsense like “we can’t get left behind China’s AI models so give us all the data!”
Democrats and Republicans always think they’re smart by investing in whatever wave of technology. Here we are.
HIPAA data is always talked sternly about. I’m hoping my health worker professional friends can help bring attention to the issue. Who knows if everyone will just roll over.
ai; dr
> This isn't a single point of failure - it's a systemic crisis.
> One in seven breaches isn't a sophisticated external attack - it's someone inside the organisation accessing data they shouldn't.
> These organisations aren't browsing - they're buying
https://news.ycombinator.com/newsguidelines.html#generated
> https://news.ycombinator.com/newsguidelines.html#generated
As written, the guidelines talk about AI generated comments, not AI generated submitted articles
In any case, just flag the submission and move on
The leading paragraph is obviously AI, also:
> That number isn't a projection. It isn't an estimate. It's the sum total of confirmed individuals affected across 735 breach reports filed with the HHS Office for Civil Rights - and it's growing every week.
The attack on Stryker used Microsoft InTune to remote-wipe all of Stryker's systems. If you can wipe a system, could you also drop code on it exfiltrate data and credentials?
[0] https://news.ycombinator.com/item?id=47346091
Microsoft Strykes again. What a surprise...
Wait, the main takeaway from this article is that cybersecurity sales teams now have great leads?
Facepalm.
The real takeaway should be that at every level -- government, corporate, healthcare entities, personal -- we need to rethink how we're acting in the face of these disasters.
Government should recognize that its current regulations are insufficient and look for ways to refine them.
Corporations and health-care entities should be asking themselves, "Do I really need to store this data? If so, how do I store it securely, make my systems less vulnerable to attack, make my personnel more informed about phishing, store it for the minimum amount of time, etc."
And we as individuals should be asking ourselves whether so many health-care entities need to store so much data about us.
Let's not forget that cybersecurity companies may also be directly involved into hacking government institutions. Case in point - the Bulgarian TAD Group cybersec firm that allegedly hacked the National Revenue Agency in 2019.
> It is still unclear what prompted the hack. The prosecution claims that TAD Group tried to blackmail several companies to hire its services, inducing them with hacked information from their websites. However, no company has publicly complained yet. [0]
0 - https://kinsights.capital.bg/politics_and_society/2019/09/17...
This wouldn’t have solved the largest one, Change Healthcare. They are an insurance claims exchange. They have to have all of this data.
The breach was social engineering of a customer support rep.
Having worked with them, they’re absolutely necessary for healthcare (in its current form; don’t get me started) to function. The alternative is integrating with hundreds of payers (won’t happen) or doing it by fax/mail (disaster).
I would say that if it is possible to exfiltrate 193 M sensitive records through a social engineering attack on one customer support rep, then there are multiple failure points that they and other businesses need to address:
- better security training for employees
- don't store 193 M sensitive records in such a way that one social-engineering attack gives you access to all of them
- don't store 193 M sensitive records without appropriate encryption, and make it hard to steal both the records and the decryption mechanism.
> Government should recognize that its current regulations are insufficient and look for ways to refine them.
The shear hostility by many people on here to data protection law (hello GDPR) suggests you are going to have a hard time getting such laws passed in the USA.
1. What a wildly capitalist take on the loss of confidentiality for personnel data.
2. If you get breached, you have a problem. If everyone gets breached it starts to look more like cost-of-business (and that might be cheaper than a cyber firm that doesn't actually fix the problem [but looks good on audits])
3. I wonder if the breached data is entering AI corpuses. Will I be able to ask OpenAI "Does Joe Bloggs, 75 Penn Ave NY have an underlying health conditions I should know about"
I think we're already in the "cost-of-business" stage.
the industry standard seems to be:
- release "oopsie" statement
- engage "cybersecurity firm" to investigate
- give out free credit monitoring for a year (fucking worthless)
and so far it seems to be working just fine
Yup I don’t see any huge downsides here for these companies, and not much incentive to change. The more it happens the more they can point to each other and say “see, it’s not just us”
I don't think I would favor executions or anything.
But forcible dilution (partial or total seizure) of the corporation? A mandatory insurance coverage? Absolutely.
We already have statutory HIPAA violation penalties, and I am extremely in favor of assessing them in a breach. The question is whether they are sufficient.
Unless somebody from management AND engineering goes to jail, it's literally just cost of business.
I think the most feasible solution is to make companies liable for damages, not in a light way but rather that every person can sue (or in a class action) for hefty amounts, so that a breach could cost e.g. 100mil+
that should incentivize them to actually invest some money in security. right now its just tiny numbers which are easier to just pay off and forget about
You'd have to deal with all of the binding arbitration agreements first.
That's it, class action lawsuits also are part of the cost of business. Nothing is ever going to change unless the boards of directors (not CEOs) can be held liable for the behavior of the companies that they direct.
OTOH, breaches especially Health Data breaches are the most over-rated, hysteria inducing breaches of all time. There is ZERO use for anyone for your health data
There is a field in a claims form that indicates what type of insurance it is.
One of these is CHAMPUS, which indicates that it is for a service member or their family. You can tell which.
As a basic case, accumulate these (as in the CHC breach of ~30% of Americans) and you have a nice map of where US military are. Since bases house particular units and types of forces, a nation state can estimate strength and investment in the US military.
In a specific case, the response to claims includes patient responsibility (deductible, co-insurance, co-pay.) Add that up for a financial picture, then you’ve got a nice lead list for service members who have money problems.
Abortion prosecution or societal ostracization.
Streamer doxing.
Literally just being trans.
HIV fear mongering.
Illegal fuckery with your insurance rates.
Employment discrimination.
Stalking.
Racial discrimination.
Can you imagine trying to fully trust a mental health professional today? A patient can't see a therapist's notes, but they sure as hell can be breached.
There is zero LEGITIMATE use for your breached health data.
Insurance companies, and companies that might look to hire you want your health data.
Others may want your health data to bribe you. Maybe you got a STD from a mistress.
Maybe you have a heart condition and the business you are interested in working for self-insures. They don't want you on their books!
> There is ZERO use for anyone for your health data0
You really think that?
Since tech community has been going on for years that it could cause a problem, I now don’t see any way out of this mess other than problems start arising since our politicians and leaders can’t be bothered to take the experts claims as legitimate ahead of time.
> I wonder if the breached data is entering AI corpuses.
One would like to think the creators of AI have been prudent enough to ensure AI output obeys data protection law; however the laissez-faire approach the USA takes to data protection (and the hostility of many Americans on here to the GDPR) suggests otherwise.
Wasn't Meta caught using pirate book databases for their training data? No decision maker of importance at any of these companies gives a whiff of a fart about data privacy beyond the bare minimum required by the letter of the law, and only when they think the expected cost of breaking the law would exceed the benefit.
> What a wildly capitalist take on the loss of confidentiality for personnel data.
As opposed to what exactly? A "communist" take on the loss of confidentiality? How might that go?
"There's no problem comrade, what are you talking about?"
This sounds like a failure of government regulation here, not a failure of a broad economic model.
Well at least the leaks and irresponsibility have hit the HIPAA level, maybe now some old people will take it seriously? Or will the fallout continue to be normalization of data leaks like the morons in the federal government did for credit reporting agencies?
As far as I’m aware, no one at United Healthcare (the monopoly that owns Change Healthcare, which was hacked for most of these) was held accountable.
As with everything in the US, this will be politicized. I wonder which will be the party of “I’m fine with data breaches”
In my view that stance is becoming bipartisan as tech companies lobby nonsense like “we can’t get left behind China’s AI models so give us all the data!”
Democrats and Republicans always think they’re smart by investing in whatever wave of technology. Here we are.
The frog has been boiled.
This optimism in the face of the current state of government made me chuckle-sob.
HIPAA data is always talked sternly about. I’m hoping my health worker professional friends can help bring attention to the issue. Who knows if everyone will just roll over.