back to article You've been pwned, how much will each stolen customer SSN cost you? How about $7.5k?

A Florida healthcare group has settled a class-action lawsuit after thieves stole more than 447,000 patients' names, Social Security numbers, and sensitive medical information, from its servers. Under the settlement [PDF], Orlando Family Physicians, which operates 10 clinics in central Florida, will reimburse affected patients …

  1. Simian Surprise

    SSN theft

    > This included names; demographic information; health information, including diagnoses, providers and prescriptions; health insurance information, including legacy Medicare beneficiary number derived from the individual's Social Security number or other subscriber identification number; medical record numbers; patient account numbers; and passport numbers.

    I've been a US citizen for decades and I've never understood the whole SSN thing. A single number, which you can't change, which gives people who find out about it the ability to see all sorts of personal info, apply for loans, access various government websites, ...

    At least my passport number rotates every time I get a new passport.

    I already assume that my (name, SSN, some current or previous address, birthday) tuple is leaked out there already. I'd be significantly more livid to know that my medical info got leaked: there's some things about my health I'd rather keep between me and my family. But that's not what gets the big bucks in compensation, I guess.

    1. chivo243 Silver badge
      Black Helicopters

      Re: SSN theft

      Yes, the SSN system is wholly abused by every facet of life in America. At a lot of employers, it was my employee number. I'm not sure how Social Security and the IRS are connected, but the SSN is also your TIN...Taxpayer Identification Number?

      I don't see any problems there /s

      1. Anonymous Coward
        Anonymous Coward

        Re: SSN theft

        What's even better is one of the Oracle DBs I admin uses SSNs as a primary key all over the place. The original developers are far out of horse-whipping reach.

        And if you look at a Social Security card, it says in bold type: "Not to be used for identification purposes"

        I suppose there isn't an actual law behind that, or I'd be suing the IRS and every man Jack for breaking it.

        1. Anonymous Coward
          Anonymous Coward

          Re: SSN theft

          "... but with few exceptions, the collection and use of personal information by the private sector is unregulated. Your employment, insurance and health records are up for grabs."

          The opinions of the SSA (SSNs should be protected) and the greater government (you're meat for business!) seem to have differed...

        2. Cliffwilliams44 Silver badge

          Re: SSN theft

          This is the idiocy of left leaning governments

          When Social Security was created there were several concerns that those against it presented that were discounted by it's advocates as "scare mongering".

          1. That this is the establishment of a national identity card. Something Americans have traditionally been vehemently against.

          2. That businesses would start using this as a single identifier for their customers and start asking for customers to reveal it.

          3. That stolen SS Numbers would be use for fraudulent purposes.

          4. That the government would steel the money and use for purposes totally unrelated to Social Security.

          All of which came true!

      2. el_oscuro
        Pirate

        Re: SSN theft

        When I encounter a new oracle database, one of my first SQLi queries:

        ?p1=' union select owner, table_name, column_name, null,null from all_tab_columns where column_name like ''%SSN%''--

    2. WolfFan

      Re: SSN theft

      When I got an American SSN four decades ago, (I had to have one to be paid for my on-campus job) the card had Big Red Letters on it stating that it was NOT FOR USE FOR PERSONAL IDENTIFICATION. A replacement card, obtained less than a decade ago, after the original card pretty much died in action, lacked that notification. There is still a notification on the stuff that comes with the card that you really shouldn’t walk around with your card.

      Note that my roommate on campus was Navy ROTC. The USN issued him with a ‘seabag’ (officer’s version) which had his SSN printed on it. He said that enlisted men got similar seabags, and might have the SSN on the backs of various uniform items, and lockers, and so on, as the US military (not just the Navy) used the SSN as their military ID number. (Officers didn’t have their SSN printed on their uniforms.)

      And, oh, the uni gave me a new uni ID card, with the SSN. All students who had SSNs, a.k.a. all American students, and non-American students who had on-campus jobs, had their SSNs as the student ID number. Grades were posted on the professors’ doors, listed by student ID. A.k.a SSN. It was trivially easy to obtain someone else’s SSN.

    3. Stork

      Re: SSN theft

      I have also been puzzled by this, but differently.

      In Denmark, everyone have since around 1970 been issued with a SSN in the form DDMMYY-NNNN. It quickly became used everywhere, public sector, banks, employment; it _is_ your identity and I don’t think it’s possible to open a bank account or rent long term without one.

      And still, I have never heard about identity theft outside facebook and similar. Is it so pervasive that it is hard to take over? I should add that there is no compulsory picture ID.

  2. elDog

    $25/hour in recompense for time spent by individuals trying to clean up this mess?

    And how much are the doctors and lawyers paid per hour?

    When I was gainfully employed my rate was 3 to 5 times that paltry $25.

  3. ecofeco Silver badge

    As always, the onus is on the victim

    Prove your data was used criminally?

    It was stolen wasn't it? Prima facie.

    Screw this bollocks of the victim having to provide extra proof they were wronged. And $25hr with a three hour cap to provide the proof? Utter, criminal, horseshit. What's the current lawyer rate these days? Yeah, that's the minimum.

    The company is going to pay only a fraction of what they should. And they know it.

    1. Gene Cash Silver badge

      Re: As always, the onus is on the victim

      Oh no, I'm sure they're moaning that they're being taken to the cleaners "for this tiny little incident" and they're going bankrupt.

      It's just sad that the news is that they're paying anything at all. Usually they get away scot free.

    2. Dimmer Silver badge

      Re: As always, the onus is on the victim

      In my earlier life I was in a child custody case. Lawyers alway love to run up the bill by requiring the other party to produce as much paperwork as they can. In winning the case (other did not care enough for the kids to show up), the judge asked if I had any request.

      Yep, I need counsel to prove to me that they will follow GLBA (Financal) and HIPA (medical) record requirements. That little money grubbing paper stunt just became a liability.

      After much pleading, the judge informed him that he WILL be following the law.

      In the states, congress passed a law preventing lawyers from exempting themselves.

  4. IceC0ld

    always amazes me that any intrusion is met with the old, we got an expert company, leader in its field to check our systems ..............

    always AFTER

    why oh why, don't companies get their systems pen tested thoroughly BEFORE it goes active ?

    or is that just me being all woke and wishy washy :o)

    1. el_oscuro
      Devil

      They need a red team group like the one I am in to test their systems. We don't report to anyone in the development groups, and our job is literally pwn them. We get extra points for irony and spite.

    2. Dimmer Silver badge

      Some think they did. When you give the “tester” the admin password and a network drawing, it is NOT pin testing, it is a network assessment.

      Pin testing is a BLIND test and they VERIFY that they can get access.

      Knowing your attack surface is valuable info.

  5. Anonymous Coward
    Facepalm

    Tonight I'm gonna party like it's 1999 /s

    “Prince - 1999 (Official Music Video)”

    https://www.youtube.com/watch?v=rblt2EtFfC4">

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like