
Healthcare.gov confirms hackers stole income, immigration and tax data - ccwilson10
https://techcrunch.com/2018/11/09/hackers-stole-income-immigration-and-tax-data-in-healthcare-gov-breach-government-confirms/
======
ObsoleteNerd
Australians, don't forget to opt-out[0] of MHR before November 15th (eg, do it
NOW). Our Government can't even run a census[1], let alone be trusted to keep
our medical data safe.

[0] [https://www.myhealthrecord.gov.au/for-you-your-family/opt-
ou...](https://www.myhealthrecord.gov.au/for-you-your-family/opt-out-my-
health-record)

[1] [https://www.lifehacker.com.au/2016/08/what-organisations-
can...](https://www.lifehacker.com.au/2016/08/what-organisations-can-learn-
from-the-abs-census-fail/)

~~~
eksemplar
As a European, I’ll never understand why people have such a distrust for
public healthcare, but will still log into google when they search for
symptoms.

The public sector uses the data to save your life, google sells your medical
search history to your insurance company.

I do work in the public sector, and I’m obviously biased, but really, I’d
prefer an efficient public sector to a dysfunctional one hindered by data
security.

I mean, if we took the GDPR at its strongest interpretation, then you’d need
to consent when the ambulance hands your information over to the hospital, and
if you’re unconscious, well though luck, then you’ll just have to die. In what
world does that make any sense?

~~~
jefftk
_> google sells your medical search history to your insurance company._

Wait, what!? Where is this coming from?

(Disclosure: I work on ads at Google, and while I can't speak for the company
this is very much not something I think we do.)

~~~
AndyMcConachie
Prove it.

~~~
bob_roboto
Prove you're not an alien lizard person.

------
xfactor973
Dammit. I wish you could delete accounts. I have tons of accounts and can’t
seem to find links or settings to delete any of them to reduce my exposure to
this crap.

~~~
Jaepa
Well, you could try to do an account remove under GDPR. It would be pretty
entertaining in this case.

~~~
mburst
GDPR is only for European citizens

~~~
Jaepa
Actually it applies to EU & EEA citizens as well as anyone inside a EU/EEA
nation. Most places don't do any verification though. In theory though you
could walk into a EU embassy & make the call from there.

------
mychael
American taxpayers paid over 500 million for Healthcare.gov.

[https://en.wikipedia.org/wiki/HealthCare.gov](https://en.wikipedia.org/wiki/HealthCare.gov)

~~~
beambot
Zenefits raised $583M to build their platform... So to first order: seems
reasonable.

~~~
hedvig
No, but you see, shareholders may eventually profit from that. But if its
publicly funded and the public benefits, its a bad thing because how can
capital get some sweet returns in this scenario?

------
youeseh
Is data in [http://coveredca.com](http://coveredca.com) also affected by this?

------
stevenicr
Would be nice if they would publish the known search strings. Right now I am
assuming "expected income >= 100,000" \- that could give many a sigh of relief
perhaps. Article mentions "engaged in excessive searching” and some of the
details taken include "expected income"

At this point hackers could be a better source of credit rating given that
they could combine info from hacks like this and the other credit agency
(experian?) hacks with other insurance hacks (anthem?) -

I wonder if my signup app info is still in this system from a couple years ago
or has been removed?

------
reaperducer
I started the signup process when I was between jobs, but stopped because I
got an offer.

For months I kept receiving e-mail reminding me that my application was
incomplete, and cajoling me to finish.

I wonder if the hackers got my partial information, or if it was only stored
in affected systems after completion.

------
social_quotient
Maybe stop asking for back doors until you’ve gotten all of your front doors
secure?

~~~
Novashi
The original Healthcare.gov was a clusterfuck because contractors did a shit
job. They did a relaunch, but I'm wondering how much of it was actually
rewritten.

I'm putting my money on brokers/agents having weak passwords and someone did
some guessing like firstname.lastname@something.gov/<password>

~~~
heelix
I was one of the poor souls sent in as part of the tech surge to fix it. Ah,
what a cluster fuck that was. CGI spent most of the time making UML diagrams,
with the hopes that a UML > Java > XML generator would do the job... only to
discover they missed out on the data modeling. Always fun to see CNN show a
twitter feed the moment you take down something for patching.

~~~
simplify
Oh wow. I would love to hear more stories if you have any.

~~~
heelix
Day 0, when it went live, ACA successfully processed six people. :P

Will give a few more tomorrow, when I have something more than a phone.

------
specialist
Data leaks like this are inevitable. Plan for it, moot the problem with proper
design.

The correct answer is to encrypt all demographic data (PII) at rest using
translucent database techniques.

Just like a properly salted, encrypted password store.

Because of data interchange, individuals will need globally unique
identifiers, eg Real ID.

(These systems still require access & audit logs.)

------
exabrial
One of the best $150 million dollar websites the taxpayer had ever bought!

~~~
exabrial
Whoops, sorry apparently its $319 million according to Sebelius.

[https://www.washingtonpost.com/news/fact-
checker/wp/2013/10/...](https://www.washingtonpost.com/news/fact-
checker/wp/2013/10/24/how-much-did-healthcare-gov-cost/)

~~~
finkin1
According to Wikipedia:

"The original budget for CGI was $93.7 million, but this grew to $292 million
prior to launch of the website. While estimates that the overall cost for
building the website had reached over $500 million prior to launch, the Office
of Inspector General released a report finding that the total cost of the
HealthCare.gov website had reached $1.7 billion."

[https://en.wikipedia.org/wiki/HealthCare.gov](https://en.wikipedia.org/wiki/HealthCare.gov)

Here's the report claiming $1.7B total cost:
[https://oig.hhs.gov/oei/reports/oei-03-14-00231.asp](https://oig.hhs.gov/oei/reports/oei-03-14-00231.asp)

~~~
Avshalom
Of course facebook spends 20 billion a year and can't keep it's shit together
either.

Maybe people should stop thinking software is cheap.

~~~
briandear
Facebook handles hundreds of millions of users per day. Including images and
movies. Facebook’s problems are rarely technical. Healthcare.gov is
essentially a CRUD app.

~~~
docbrown
I’m sure Healthcare.gov contractors had a lot more bureaucracy and protocols
they had to follow—especially security—regarding a project of this magnitude
than a cubicle engineer at FB. Granted, the original launch was botched,
trying to compare the two is apples and oranges.

------
dmead
Is this before or after it was moved from usds to a contractor?

~~~
fjsolwmv
Healtgcare.gov wasn't hacked. It's users' systems were hacked, and the hacked
client systems logged in to healthcare.gov through normal means.

~~~
khazhou
This distinction is not useful to the people whose information was accessed.
Perhaps healthcare.gov could have been designed in such a way that sensitive
user information was not available to client systems, or somehow required that
clients have higher levels of security to prevent this from happening.

~~~
CobrastanJorji
This is big, east coast, many-contractor design. By the time things made it to
the point that somebody was thinking about security, a rule like "providers
will be given access to the following fields for a client upon request" was
likely already written into a half dozen contracts between seventeen sub-
contractors.

~~~
isoskeles
Yes, take note east coasters. This doesn't happen on the west coast.

~~~
CobrastanJorji
Is that not a thing? I had thought "west coast" described startupy, in-house,
vaguely agile type of software development, and "east coast" described
government contracting, sub-sub-sub contracting, waterfall-style development.
Maybe I just picked it up from the folks around me and thought it was more
universal.

~~~
snakeboy
Haha, were those 'folks around' you on the west coast, perhaps?

