back to article Ransomware crooks steal 3m+ patients' medical records, personal info

Several California medical groups have sent security breach notification letters to more than three million patients alerting them that crooks may have stolen a ton of their sensitive health and personal information during a ransomware infection in December. According to the Southern California health-care organizations, which …

  1. Anonymous Coward
    Anonymous Coward

    Stealing patient's medical records

    Can't they just buy them from Palantir ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Stealing patient's medical records

      Or Facebook.

  2. ChoHag Silver badge

    > who is responsible for the attack

    The operations staff. DevOps they call it now. The S is for Security.

    1. Anonymous Coward
      Anonymous Coward

      "DevOps they call it now."

      DevOops, rather?

      :-/

    2. Claptrap314 Silver badge

      DevSecOps

      Is now a thing, you know. I first heard the term on an obscure website that fancies itself as biting the hand that feeds IT...

  3. JassMan
    Joke

    At least it was criminals who stole it.

    The British government would have just given it away.

    Oh wait, maybe we are governed by criminals as shown by the 2 (or more?) previous attempts to hoover up all GP records. Saying they would have been anonymized just doesn't cut the mustard when the data contain enough information to localise the owner back to a household.

  4. Anonymous Coward
    Anonymous Coward

    Any indication which OS these hospitals use?

    I have a fair suspicion which common factor is again in play here, but it would be fun if someone dared voicing it without worrying about their advertising income.

    1. FlamingDeath Silver badge

      Re: Any indication which OS these hospitals use?

      Was it founded by a guy who later become obsessed in the possibility of attaining a nobel peace prize and brushed shoulders with trafficker.

      I’m surprised businesses still use that PoS, I though businesses was all about risk mitigation.

      You know, a key that opens many locks is a master key

      But a lock that is opened by many keys, is just a shitty lock.

      I present to you, Microsoft, the shitty lock

      1. An_Old_Dog Silver badge

        Re: Any indication which OS these hospitals use?

        I'm not defending Microsoft, but I wouldn't be surprised if low-security/no-security configurations create more vulnerabilities than errors in the OSes themselves.

        Low-security/no-security configurations are created by techies who (a) are pressured by management to get it up and running ASAP, damn the torpedoes and "over-engineering" (aka "wasting" time/money on security), and/or (b) are ignorant/incompetent regarding reasonable system security.

        I bought a Patriot-brand media box: you plugged a USB drive with video files into it, and played them on your HDMI-connected TV/display panel.

        I was appalled to find: (1) my box was accessible via telnet, (2) anyone could log into the root account, which had NO password, and, (3) Patriot issued NO software updates for it.

        1. Anonymous Coward
          Anonymous Coward

          Re: Any indication which OS these hospitals use?

          I'm not buying that. Linux and MacOS are quite safe out of the box, but a fresh Windows machine first needs several TB worth of patches before it's even half as safe, mainly because its default settings are "hey, I'm bending over here, come and get me". And Defender doesn't, at least not enough.

          What they DO do, immediately, is ship every bit of data they can grab to Microsoft the moment they go live - weirdly, that code always seems to work rather well..

  5. localgeek

    Record Profits and Accountability

    I read a recent report about hospitals, much like big oil companies, enjoying record profits of late. It doesn't appear those excess dollars are being reinvested in protecting their customers' private information, and the token year of credit monitoring after the fact is being treated as just another cost of doing business. Steep, mandatory payouts directly to affected patients might help their administrations re-prioritize cybersecurity.

    1. Black Label1
      Black Helicopters

      Re: Record Profits and Accountability

      "It doesn't appear those excess dollars are being reinvested in protecting their customers' private information"

      Remember capable and determined fellas can invade the US Pentagon, State Department, NASA, NSA - and some of those folks have bigger pockets and are used to kill for a living.

    2. FlamingDeath Silver badge

      Re: Record Profits and Accountability

      It’s ok because the infestors got their dividends, and thats all that matters in the modern business world.

    3. EnviableOne Silver badge

      Re: Record Profits and Accountability

      This reminds me of something that happened in Europe the letters GDP and R seem to ring bells...

  6. elsergiovolador Silver badge

    Steal

    You don't need to steal medical data.

    You just need to join certain organisation and grease a couple of hands, of people who work for that organisation and the government.

    And all data is yours legally. You just have to share it with other corporations in that organisation.

    And if someone starts looking? Organisation has an army of "information warriors", to ensure person looking gets smeared and not taken seriously.

  7. Woodnag

    So the response to failing to secure people's personal info... is to tell them to pass on personal info to Norton LifeLock?

  8. Pascal Monett Silver badge

    "one year of Norton LifeLock credit monitoring"

    Norton ? Dear God, just hang me now.

  9. FlamingDeath Silver badge

    As an IT bod, it pains me to say this

    Just stop agreeing to the licensing terms

    “I’m sorry, I cannot use your electronic crap because I’ve not read nor understand nor want to, this legalese”

    Remember, you don't pay money for software, you are paying for the license agreement.

    Privacy policy? Kinda meaningless when the data you collected is handed to malicious people through ineptitude

    Lets be clear here, every single breach of a company by “sophisticated ” ahem… hackers, is a case of an inept staff member(s) doing something they shouldn’t, or not doing something they should .

    I’ve worked at a lot companies and they’re all equally shit, staffed by lackies, with no understanding of infosec or even what ISO27001 is, and why placing it in a ridiculously narrow scope, which they know they can pass, briefly, momentarily, is not going to provide any operational protection

    Maybe these companies should start employing competent and “sophisticated” staff, but that costs money and infestor shareholders looooove money so won’t want to give any of it up

    1. IGotOut Silver badge

      What have licencing terms got to do with being hacked? Seriously. What?

  10. Anonymous Coward
    Anonymous Coward

    The machine that goes *bing*

    Suddenly started going *bong*.

    That’s when we knew something was up.

  11. AbeSapian

    Equifax

    Equifax donated my entire credit information and history to the dark web years ago (why are they still in business). I froze my credit then. Lately Experion decided to make their contribution to identity theft. Between the two of these monsters, what can a measly hospital do? It's to the point where it's hardly worth mentioning any more.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like