Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Isn't this the type of scenario HIPAA is supposed to cover?


It is. HIPAA should destroy these jerks. The problem is that they are stating that no health data was actually lost... just the part of the health data that identifies you and can be used to ruin your credit.

Since that part of the data should be the most locked down, it seems like a complete lie to me. I think the health info was compromised completely.


Amazing how whoever broke in only stole name/address/SSN information. But didn't touch the protected medical records?

https://www.noagendaplayer.com/listen/694/2-19-54


Those are likely in an entirely separate system.


I would bet that they store SSN and MRN in the same table. Since the personally identifiable information (patient demographics) is the foreign key for the patient data, it seems likely that everything is compromised.

One way to have not allowed this is to force the database to restrict queries to use two pieces of information in the where clause. This means that they would have to search for name = "John Smith" and MRN = "xyz". This would prevent mass queries and database dumps.


Having the ID - SSN or MRN - isn't the same as having the patient's full medical records. It'd be entirely possible for a system to have the IDs and not the data - a billing system, perhaps. It all depends on the nature of the compromise.


The argument I'm trying to make is that if someone compromises SSNs, which are used to authorize patients, it's very likely that they have also compromised MRN since MRN is what most healthcare applications use internally as the identifier for patient data.

In the case that they stored SSN and MRN together, which I believe is highly likely, the attackers also gained access to the MRN.

If the most highly protected data demographic data (the name and identifying information about the individual patient) is unencrypted and easily compromised, I believe that patient data was very likely compromised as well.

It is possible, however, that the attackers were only after information that could be used to commit identity theft so they may have ignored the health information, however, this does not mean that the health information was properly protected.


I'm not sure that it's a settled matter that HIPAA doesn't apply in this case. PHI includes demographic information which would seem to apply here just based on what we already know has been leaked.


The problem is, the jerks have more lawyers and lobbyists than you do, so you lose by default.

Money begets money, power begets power. Either begets the other. The great vicious cycle of our civilization.


for i worked in several similar companies, indeed, its extremely rare that such data is well protected. it works under the assumption that if its not been broken into until now then its safe enough.

obviously that's broken logic since..

- you're not compromised by default/when the business starts

- when you're compromised, you probably don't even know it. you might find out in a few years if lucky.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: