Hacker News new | past | comments | ask | show | jobs | submit login
Healthcare.gov confirms hackers stole income, immigration and tax data (techcrunch.com)
243 points by ccwilson10 10 months ago | hide | past | web | favorite | 79 comments

Australians, don't forget to opt-out[0] of MHR before November 15th (eg, do it NOW). Our Government can't even run a census[1], let alone be trusted to keep our medical data safe.

[0] https://www.myhealthrecord.gov.au/for-you-your-family/opt-ou...

[1] https://www.lifehacker.com.au/2016/08/what-organisations-can...

As a European, I’ll never understand why people have such a distrust for public healthcare, but will still log into google when they search for symptoms.

The public sector uses the data to save your life, google sells your medical search history to your insurance company.

I do work in the public sector, and I’m obviously biased, but really, I’d prefer an efficient public sector to a dysfunctional one hindered by data security.

I mean, if we took the GDPR at its strongest interpretation, then you’d need to consent when the ambulance hands your information over to the hospital, and if you’re unconscious, well though luck, then you’ll just have to die. In what world does that make any sense?

> you’d need to consent when the ambulance hands your information over to the hospital, and if you’re unconscious, well though luck, then you’ll just have to die

lol nope. GDPR does address this. It's one of the bases for processing - vital interests.

Read here for more if you're interested: https://ico.org.uk/for-organisations/guide-to-the-general-da...

GDPR is far less vague & excessively strict than people seem to think. It's sensible and pretty well-defined imo. You just need to take a little bit of time to read it and consider how it reasonably applies to you.

As an Australian our public healthcare has a lot of trust as does does the public sector that operates it. What we don't trust is government IT initiatives. Our political class do not understand technology and in this country nobody takes responsibility for creating, managing and verifying their own IT systems. IT here is all about procurement. Everything is outsourced. Nobody knows what the hell they are doing and there is no way they even understand the systems and services they are buying. I have no confidence in their ability to protect health data.

> google sells your medical search history to your insurance company.

Wait, what!? Where is this coming from?

(Disclosure: I work on ads at Google, and while I can't speak for the company this is very much not something I think we do.)

Prove it.

Prove you're not an alien lizard person.

As an Australian... Our government does not know how to build a technical system. They have a lot of failures on their hands.

Thus, not opting out does give all your medical data to the private sector anyway. Because they will have large breaches of data. And insurance companies will use it.

Every government has a lot of IT failures, but the perception that they are worse than other enterprise is mostly due to the failures being on record.

There was a study in the 00s that looked at major IT system implementations, and I can’t remember the exact number, but it was around a 77% failure rate for business and around 85% for public sector systems.

Which frankly make a lot of sense. Because the public sector buys its systems from the same software companies that the private sector does.

I don’t necessarily think giving up is the best sollutuon though, I think it would be better if we demanded a higher priority on IT from our political leadership than we do now. I mean, we’re seeing some with the GDPR, but did we really have to rely on the EU to do the right thing?

> I don’t necessarily think giving up is the best sollutuon though, I think it would be better if we demanded a higher priority on IT from our political leadership than we do now.

But opting out of a broken system (many GPs are refusing to use the system as they, in their general computer illiteracy, still find it to be insecure), is not the same as just asking for the government to do better.

You should opt out now, system is broken.

You should ask for it to be better in future - we are. Our government rejected a commission investigating why the last large-scale architecture deployment, NBN, was such an atrocious failure. A year later (under a different controlling party), a different government branch did launch an investigation, and found that it was an utter failure, at pretty much every level.

But again... That doesn't mean opting out isn't wise.

1. GPs think it's insecure.

2. If you have a MHR, then the police, Centrelink, Medicare can access it without a court order or subpoena (not the case if the clinic holds the records).

3. Finally, MHR accept no responsibility for if they do get a breach. In fact, their security disclaimer suggests that the user will be considered at fault if it happens.

Look at it from a bigger perspective. We have a digital mail box for every citizen in my country. It’s safe and works very well, but people still have the option to opt out.

Opting out was meant for people who aren’t capable of accessing a digital mailbox, but because of the reputation of public IT some people opt out for no reason other than they don’t want to be part of it.

That’s their right, sure, but those 1-3% of the population are now costing the government as much as the other 97% times four.

The typical person to opt out isn’t old by the way, seniors are among the most happy users, no, it’s middle aged men who think they know better than the system.

Ironically around 80% of them would like to cut the public funding. I guess we could start with all the money they are wasting by opting out.

MHR is connected to mygov.

mygov, is [0] not [1] secure [2]. Therefore, MHR is not secure. I have no reason to believe the situation has changed (2FA is still SMS only for starters) - and I cannot see any reasonable effort being made by our government to change that same situation.

Their past response [3] has been to ignore security problems.

I don't care how much they're paying for this brand-new insecure service. I'm irritated that they're asking Australia to pay for something that wasn't requested (people asked for an easier way to transfer records - not for their records to be housed in a known, insecure facility), and I'm irritated that after complaints of insecurity began surfacing across the nation, they started a campaign on TV calling it secure.

So no, the bigger perspective isn't a nation paying a lot for a system that isn't getting used - the bigger perspective is the nation is paying the government to allow enterprising individuals to steal and sell their data.

[0] https://www.zdnet.com/article/mygov-health-records-breached-...

[1] https://www.smh.com.au/technology/revealed-serious-flaws-in-...

[2] https://www.smh.com.au/technology/australians-private-govern...

[3] http://www.scribd.com/doc/224260090/MyGov-Security-Gov-Respo...

>google sells your medical search history to your insurance company.

[citation needed]

> alone be trusted to keep our medical data safe.

Not just against malicious attackers, but "legitimate" abuse like insurance companies or employers getting access without you knowing!

Dude wtf, we need this data to help treat patients and save lives.

Imagine I was running a charity that accepted donations by asking people to post their bank login credentials on a corkboard outside my house.

that's not really secure enough, you should require that they confirm how much they want you to withdraw as a line item next to their password.

Why does the data need to be stored on a centralised database acessibile by 100,000 people and not on individual medicare cards?

Is there some dire pressing need where people are literally dying because doctors can't access prior medical history in time? I've not heard anything of the sort.

Do you think the Australian government is proficient with IT and IT security?

People die when the data isn’t available or wrong.

In the perfect world, you could design an architecture for sharing data, so patients would own some sort of medical card with their history.

In the real world, your doctor and your eye doctor bought different IT systems that can’t share data without someone manually typing them in.

Hell, the hospital probably runs around a thousand different IT systems and maybe two of them have APIs, but one is SOAP and the other is Graphql and there isn’t any middleware to make them speak with eacother. So the hospital can’t share your journal between your ward and the X-Ray room, unless there is a centralised journal.

We’re working toward a better architecture, but it’s not easy, and if only 500 of your 1000 systems adopt it, then you’ll still need a way to handle those 500 systems.

Things are made worse by the political decision organ and it’s variating agendas.

For a decade you may have political leadership that enforces an open architecture in which systems have to be able to share data. And you get maybe 10 major systems build on it, and they work, and you build some middleware and use RPA for some of the other systems.

Then the political landscape shifts, and maybe lobbyists play a part. Because open architecture for data is making companies less money since they can’t sell you data extractions. So they spend money on politics, and the conservative side listens and starts making the open APIs and public ownership and management illegal because it “steals” jobs.

Then you have another decade where you change another 10 major systems, except now they are silos and you fire your local IT developers so you can’t build RPA or middleware.

Then people realise that was stupid, so it shifts back to open architecture. Except now 20 years have passed, so we design a new open architecture that doesn’t fit with the old one. And then we buy another 10 major systems on the new architecture.

Now, after 30 years of good intentions, you still need a centralised way to share patient data, and when it fails, people do die.

I don’t have a horse in this race however:

> Is there some dire pressing need where people are literally dying because doctors can't access prior medical history in time

People definitely do die from that.

Because cards break, are lost and stolen all the time. Moreover, ER patients may not have the card with them when they need it. One would still need a centralized backup.

> Do you think the Australian government is proficient with IT and IT security?

Not to a sufficient level.

This is what I think - I can opt it at any time, and provide my entire medical history, but I can never delete my data.

So I'll opt in when I need to.

Unfortunately the Aust government often seems to incompetently implement their (larger) IT projects.

IF there was a track record of success, then this might be fit for purpose. The chances are extremely low though.

This reminded me to do it after I failed to remember to do it a few days ago. Thanks!

Things are grim in Ontario as well, the ministry of health is trying to centralize EHRs (rather than do the sensible thing Alberta's chose: a standard viewer application mapped on a distributed records system), and they don't give one solitary fuck about the data integrity or privacy outcomes their effort has (ask anyone involved, and they'll tell you it's somebody else's job).

Dammit. I wish you could delete accounts. I have tons of accounts and can’t seem to find links or settings to delete any of them to reduce my exposure to this crap.

In many systems "deleting" your account just means turning on a flag in your profile. Plus there is the issue of deleted accounts information previously existing in backups.

It seems like once we give any data to any company/entity/organization in this age that it will likely be around, somewhere, forever :(

Well, you could try to do an account remove under GDPR. It would be pretty entertaining in this case.

GDPR is only for European citizens

Actually it applies to EU & EEA citizens as well as anyone inside a EU/EEA nation. Most places don't do any verification though. In theory though you could walk into a EU embassy & make the call from there.

American taxpayers paid over 500 million for Healthcare.gov.


$500 million -> optimistically 2000 developer-years, assuming no budget for hardware, management or profit.

I'm not saying someone didn't mess up or that the security breach wasn't preventable, I have no knowledge of that, but I hope no one on HN is surprised that building a site that on the frontend handles traffic from a significant fraction of the US and on the backend interfaces with basically every insurer in 30-some states is something that might take hundreds of developers a few years to develop.

(Which again, is not meant to imply that there wasn't any waste or that the project was completely as efficiently as possible, but when people say they could have done it in a quarter with 5 people, I say, what is wrong with you?)

It sounds like that’s irrelevant because the problem was compromised accounts using the system:

> On October 16, 2018, we found that a number of agent and broker accounts engaged in excessive searching for consumers, and through those searches, had access to the personal information of people who are listed on Marketplace applications.

Zenefits raised $583M to build their platform... So to first order: seems reasonable.

No, but you see, shareholders may eventually profit from that. But if its publicly funded and the public benefits, its a bad thing because how can capital get some sweet returns in this scenario?

Is data in http://coveredca.com also affected by this?

Would be nice if they would publish the known search strings. Right now I am assuming "expected income >= 100,000" - that could give many a sigh of relief perhaps. Article mentions "engaged in excessive searching” and some of the details taken include "expected income"

At this point hackers could be a better source of credit rating given that they could combine info from hacks like this and the other credit agency (experian?) hacks with other insurance hacks (anthem?) -

I wonder if my signup app info is still in this system from a couple years ago or has been removed?

I started the signup process when I was between jobs, but stopped because I got an offer.

For months I kept receiving e-mail reminding me that my application was incomplete, and cajoling me to finish.

I wonder if the hackers got my partial information, or if it was only stored in affected systems after completion.

Maybe stop asking for back doors until you’ve gotten all of your front doors secure?

The original Healthcare.gov was a clusterfuck because contractors did a shit job. They did a relaunch, but I'm wondering how much of it was actually rewritten.

I'm putting my money on brokers/agents having weak passwords and someone did some guessing like firstname.lastname@something.gov/<password>

I was one of the poor souls sent in as part of the tech surge to fix it. Ah, what a cluster fuck that was. CGI spent most of the time making UML diagrams, with the hopes that a UML > Java > XML generator would do the job... only to discover they missed out on the data modeling. Always fun to see CNN show a twitter feed the moment you take down something for patching.

Oh wow. I would love to hear more stories if you have any.

Day 0, when it went live, ACA successfully processed six people. :P

Will give a few more tomorrow, when I have something more than a phone.

Can you expound on the data modeling they missed out on? Is the UML code generator a bad way to go in your opinion or did they just not do due diligence with data modeling?

(Asking because I'm starting a new data-heavy project and I'm considering generating code from UML.)

At the core, they sort of missed the problem. With the advent of ACA, you could no longer use medical history to set rates. You had age, sex, smoker -- and the killer location. What they were actually after is a bit of a rules engine, as one person may have 30k+ offerings, another location none. Think actuarial tables at the zip code level. The data model itself was a bit ... modeled around people and missed the rate part. I think they had about 2 years - and spent much of that time modeling. The cracks were not evident until way too late.

One of my favorites was the way they serialized the POJOs. Data object turned to XML. Send to a process that added more stuff. Send to another process, lose all the non-base stuff. Lots of data corruption. The model being wrong required them to try and tack on all sorts of extra stuff... but the framework really did not support it.

They tried to match a handful of A players with a bunch of C grade developers. Then they pulled all the A players into never ending meetings. I saw little to no code review of what was actually going on. Folks literally copied switch blocks, because the code worked, and left in the old case statements. Exceptions eaten. Text book example after example of what you might expect in the daily wtf type code.

Does legislation take into account at all how difficult or complicated it is to implement?


Contractors did a shit job because the people in charge had no idea what they were doing.

I was surprised to hear there’s been a breach because Nava works on it now and I’ve talked to them and they seem to know what they’re doing.


Data leaks like this are inevitable. Plan for it, moot the problem with proper design.

The correct answer is to encrypt all demographic data (PII) at rest using translucent database techniques.

Just like a properly salted, encrypted password store.

Because of data interchange, individuals will need globally unique identifiers, eg Real ID.

(These systems still require access & audit logs.)

One of the best $150 million dollar websites the taxpayer had ever bought!

Whoops, sorry apparently its $319 million according to Sebelius.


According to Wikipedia:

"The original budget for CGI was $93.7 million, but this grew to $292 million prior to launch of the website. While estimates that the overall cost for building the website had reached over $500 million prior to launch, the Office of Inspector General released a report finding that the total cost of the HealthCare.gov website had reached $1.7 billion."


Here's the report claiming $1.7B total cost: https://oig.hhs.gov/oei/reports/oei-03-14-00231.asp

Of course facebook spends 20 billion a year and can't keep it's shit together either.

Maybe people should stop thinking software is cheap.

“but my 15 year old cousin can make websites!”

Facebook handles hundreds of millions of users per day. Including images and movies. Facebook’s problems are rarely technical. Healthcare.gov is essentially a CRUD app.

I’m sure Healthcare.gov contractors had a lot more bureaucracy and protocols they had to follow—especially security—regarding a project of this magnitude than a cubicle engineer at FB. Granted, the original launch was botched, trying to compare the two is apples and oranges.

FB needs good data and good security so that they can sell what they collect. If it could be obtained from FB without paying them, they wouldn’t last very long.

I guess I need to get in the business of making websites for the government.

Absolutely, however the market is heavily taken by friends and families of politicans in charge. Thats why they can shit out a jquery website done by indians and charge government half a billion dollar without single person being accused for this crime in bright day.

Of course CGI is better than ever! Working on multitude of “successful” government projects ;)

I don't know what's more disturbing... The lazy, nihilistic stereotype of politicians as corrupt, or your casual assumption that everybody would share your racist reflex to equate "indian" with "low quality".

Considering that the breach wasn't on the actual site itself but on the accounts of private companies that were tasked with receiving the applications, this isn't an issue with the website. More than likely, someone employees that work at these contractors had weak passwords and no limit to the number of logins. As soon as the people on the website found out, access was disabled. It sounds like they actually had their shit together at this point.

Obviously like I said one of the best $150m, er $1.6b, taxpayer has spent. I seriously can not can't think of any other website that takes that amount of traffic and operates on a significantly lower budget.

Wait, “can not.. can’t?” Which way are you going with this



That's a steal compared to the Obamacare signup site.

Healthcare.gov is the Obamacare signup site.

Is this before or after it was moved from usds to a contractor?

Healtgcare.gov wasn't hacked. It's users' systems were hacked, and the hacked client systems logged in to healthcare.gov through normal means.

This distinction is not useful to the people whose information was accessed. Perhaps healthcare.gov could have been designed in such a way that sensitive user information was not available to client systems, or somehow required that clients have higher levels of security to prevent this from happening.

This is big, east coast, many-contractor design. By the time things made it to the point that somebody was thinking about security, a rule like "providers will be given access to the following fields for a client upon request" was likely already written into a half dozen contracts between seventeen sub-contractors.

Yes, take note east coasters. This doesn't happen on the west coast.

It is explicitly limited by geography. The magnetic pull of the earth on the west coast, because of the San Andreas fault, prevents this from happening there.

Is that not a thing? I had thought "west coast" described startupy, in-house, vaguely agile type of software development, and "east coast" described government contracting, sub-sub-sub contracting, waterfall-style development. Maybe I just picked it up from the folks around me and thought it was more universal.

Haha, were those 'folks around' you on the west coast, perhaps?

We may have encountered Peak HN.

Usds never "had it", it's always been handled by MULTIPLE contractors. This last version one contractor works on backed, one works on frontend, one is responsible for documentation and testing, and none of them communicate.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact