[HN Gopher] Data breach at Kaiser Permanente affects 13.4M people
___________________________________________________________________
Data breach at Kaiser Permanente affects 13.4M people
Author : kryster
Score : 96 points
Date : 2024-04-26 17:15 UTC (5 hours ago)
(HTM) web link (restoreprivacy.com)
(TXT) w3m dump (restoreprivacy.com)
| waihtis wrote:
| Genuinely think cyber has a massive overengineering problem - I
| havent worked with Kaiser but am under the impression they run
| quite a sophisticated op, with a lot of advanced modeling done
| for vulns & cyber risk in general. Yet they got pounded pretty
| hard here.
|
| Creeping suspicion is too much focus on doing "smart" things with
| data, AI and such and not enough on actually worrying about not
| getting breached.
| thephyber wrote:
| > Yet they got pounded here
|
| Huh? Your passive tense suggests this happened _to_ KP's teams.
|
| From what I'm reading, those are the teams who would have had
| to actively take action to import the tracking code on their
| pages.
|
| My money is on "we imported a thing on the website because our
| advertising team needed to know when advertised users converted
| from any of many different advertising channels". Usually it's
| easier to import a script on a common layout, rather than just
| a single landing page.
|
| Ad teams overrule the website / security teams because one is a
| profit center and the other is a cost center.
|
| Then as engineers / product teams turn over, the new employees
| don't know the original intention of the old imported code and
| are wary to remove it (and if they do, the process is long and
| drawn out).
| GraffitiTim wrote:
| This is why we need Freshpaint (YC S19) for analytics and other
| services for healthcare companies. A primary focus on regulatory
| compliance, privacy, security.
| agnokapathetic wrote:
| this is just from Share Embeds.
|
| they now disclose these are used at login.
| roywiggins wrote:
| [deleted]
| throwaway81523 wrote:
| Kaiser has had another privacy bug for many years, which is they
| give out phone numbers of individual doctors in the Kaiser system
| (of course it goes to voice mail). That sounds great but it's
| invasive: call a Kaiser oncologist, and your phone carrier sells
| the number you dialed to data brokers who profile you as a likely
| cancer patient. Call an AIDS specialist, gender transition
| therapist, abortion provider, etc.: same idea. Kaiser should
| instead have a single incoming phone number where you enter an
| extension of the doctor you are trying to reach. So everyone
| dials the same outgoing number. I griped to them about this
| around 10 years ago and they basically said hrmmph.
| lotsofpulp wrote:
| That's a crazy solution to a legislative problem.
|
| Also, source that call records are sold? I thought even the
| government (non federal security apparatus) needed a warrant to
| get access to that information?
| 01HNNWZ0MV43FF wrote:
| sounds like I need to start dialing some random businesses to
| fuck up my ads
| kevingadd wrote:
| https://www.popularmechanics.com/technology/security/a23567/.
| ..
| lotsofpulp wrote:
| The source material on page 9 and 10 claims a subpoena is
| necessary:
|
| https://archive.nytimes.com/www.nytimes.com/interactive/201
| 3...
|
| Therefore, I am confused whether or not a warrant is
| needed. If the phone networks were straight up selling call
| records, then surely no law enforcement agency would bother
| with warrants.
| whaleofatw2022 wrote:
| Buying the records could cause issues potentially in
| court. The selling of 'evidence' can cause various
| conflicts of interest.
|
| That said I would be completely unsurprised if they were
| used for 'parallel discovery' purposes.
| throwaway81523 wrote:
| Call records have never needed a warrant (lookup "pen
| registers"). Call contents (i.e. wiretaps) have in
| principle always needed a warrant, modulo many
| exceptions. These days though, call records seem to be
| for sale to anyone who wants them, whether or not that is
| legal.
| gopher_space wrote:
| A private investigator could fill us in, but if you look
| at the different personal data services you'll see a lot
| of "check this box to agree that you have a valid legal
| reason to pay us $75 for your ex's info" type setups.
| Pirate Code law.
| singleshot_ wrote:
| Subscriber data: court order.
|
| Communications: warrant.
|
| Metadata: it depends.
|
| (Not a general rule but a useful heuristic).
| hi-v-rocknroll wrote:
| KP's phone carrier, the caller's carrier, or an intermediate
| phone network maybe selling metadata to data brokers. The
| current practice in America is that once data* about a person
| has been disclosed to a business by any means, the person
| loses all rights to it and it becomes the property of that
| business to do with and resell it however they want.
|
| * There are limited carve-outs for medical records and such.
| kbenson wrote:
| > The current practice in America is that once data* about
| a person has been disclosed to a business by any means, the
| person loses all rights to it and it becomes the property
| of that business to do with and resell it however they
| want.
|
| Yes. I think what's being alluded to is that the ultimate
| problem lies there, and carving out special systems and
| cases to legislate to avoid bad behavior that might results
| from that will always fall short of what we could get with
| some more overarching legislation that makes it so the end
| person retains at least enough rights about that data to
| know when it's happening and preferably be able to stop it
| and requiring very stringent rules about those that do
| attempt it with permission from end users.
|
| At that point it's no longer about finding which if the
| data aggregators are doing unsavory things with the data
| they get from you and trying to find some way to get them
| to stop and it's then about any data broker that wants your
| information trying to get you to allow it (because there
| are undoubtedly cases where the data is good for society
| and even good for you) needs to justify what and why and
| how they use it.
|
| Edit: And there would be legal recourse if they don't
| follow those legal standards, of course. It's implied, but
| might as well be stated outright.
| smolder wrote:
| I think the better starting point would be that
| businesses have no right to share personally identifying
| information about their customers (short of court orders)
| and the carve outs go the other way. I should then grant
| the "identity handling rights", by way of a license, to
| businesses, as needed. Put some standards around the
| language and method of establishing consent so it can't
| be buried in EULAs, and then I'll be happy to check a box
| to grant businesses to transact with my PII on my behalf
| if there is a legitimate need.
| hi-v-rocknroll wrote:
| Yes, this would need grassroots single issue advancement
| of something like a HIPAA law for general privacy and
| personal data that starts with an opt-in standard
| practice. There's really no way to change the structure
| of how the current situation of data brokering works in
| America without a broad and draconian law.
|
| Perhaps there should also be a nonprofit clearinghouse
| like a "credit agency" that provides a centralized portal
| for reviewing all of the permission links at and between
| businesses, and also a central point for changing phone
| numbers, email, shipping, mailing address, etc.
| kbenson wrote:
| I think that's essentially just what I described, with
| the main difference being that I think we'll only
| actually get there if we approach it from the angle of
| PII being something intrinsically owned by the
| individual, not the company that generated it, which I
| think is easiest approached by making it a right of some
| sort.
|
| Then the carved out allowances for specific companies or
| industries are clear and their need can always be weighed
| against our _rights_ , making them much easier to pull
| back, because it's obvious when it comes to our rights
| and the needs of an industry to continue making money,
| our rights come first. If it's approached from a non-
| rights angle at some point we are attempting to curtail
| an industry, I think that might be a much more
| contentious discussion.
|
| If we can't get rights, I wouldn't mind HIPAA being
| expanded into an overall PII protection system with two
| or more levels, one being current HIPAA health info, and
| the other main one being all other PII info and that
| allows a company to collect it for internal use without
| lots of constraints (depending on info, and purely so it
| doesn't accidentally tank existing industries that aren't
| problematic because all of a sudden they can't store some
| benign info they need that the law accidentally targets)
| but once they want to share it at all they need to adopt
| a much more stringent framework like medical info
| requires for tracking and accounting of it, which would
| probably weed out the vast majority of random "collect
| the PII and sell it because it's cheap" stuff that goes
| on, since it's no longer low cost at all given the
| requirements that would exist around it (including
| authorization to share). Just the cost structure around
| strict legal and storage compliance and requiring
| authorization and tracking of all sharing of information
| would disincentivize a huge amount of the abuse we see.
| hi-v-rocknroll wrote:
| Correlation between web, social media, brick and mortar
| retailers, banking, credit, and cell phone carriers has reached
| a level of ridiculous perversion. America needs a modern
| German-like privacy framework. Data brokers should be illegal
| and individuals should have final say over how uniquely
| identifying information about them is exchanged.
| smolder wrote:
| Yes. The data hoarding creates endless opportunity for abuse
| and only marginally improves the utility of things like
| advertising.
|
| The case of insurance providers having a microscope into
| everyone's lives is simply dystopian. As with political
| campaigns, potential employers, law enforcement, and so on.
| bee_rider wrote:
| Your cellphone could also report your location when you walk to
| these medical providers, right?
| KeepFlying wrote:
| Yeah but you could theoretically turn off Location services
| and then the cell network may not be able to tell if you're
| at the doctors or at the McDonalds next door so it still
| offers some (limited) privacy.
| bhhaskin wrote:
| By that logic you could in theory use a VOIP number to
| call...
| nix0n wrote:
| So if I call some Sports Medicine doctors, then advertisers
| will think I'm a cool, active person.
| neilv wrote:
| The solution is FBI raids on the headquarters of the carriers,
| data brokers, and companies that buy/use/resell/share/etc. the
| data.
|
| Plus the individuals found responsible thrown into prison, and
| personally bankrupted.
|
| Plus a punitive hit to the stockholders, including clawbacks of
| past realized gains, to align incentives better with productive
| society, and not let a corporation be a shield for routine
| criminal conspiracy.
|
| Working backwards from the desired state, what legislation do
| we need?
| drstewart wrote:
| >Working backwards from the desired state, what legislation
| do we need?
|
| Not much for the jackboot police state you look to create
| SAI_Peregrinus wrote:
| This is not unique to Kaiser. Anyone not on an HMO plan has
| separate providers for separate specialties.
| Dalewyn wrote:
| >I griped to them about this around 10 years ago and they
| basically said hrmmph.
|
| To be fair to Kaiser, that really isn't their problem.
|
| You should be griping to the telco (yes, I know it's a waste of
| time) and your politicians (marginally more useful than the
| former), because that is their problem.
| ComputerGuru wrote:
| Do you think they still have my records from 30 years ago? Not
| really kidding, actually curious if that data was ever properly
| migrated from system to system.
| kevingadd wrote:
| My historical records were never digitized by KP, they're on
| paper in a storage bin somewhere.
| ComputerGuru wrote:
| Curious how you know and how far back you are referring to?
| Did you stick with them throughout -- if so, I would imagine
| they would have had extra incentive to import just yours, at
| the very least (and others like you, obviously).
|
| Glad to know they're a forest fire away from being lost. If
| you haven't used your medical records or had them forwarded
| to another provider in over three decades, I think it's ok if
| they go bye-bye.
| el_benhameen wrote:
| My visit information wasn't digitized as far as I know, but
| my vaccine records and possibly other records from the 1980s
| are in my kp account.
| patja wrote:
| About 10 years ago they dug up all my Group Health Coop
| (since bought by Kaiser) vaccine records since 1970 and
| updated the digital record to include them
| phone8675309 wrote:
| It should be illegal for any private company to hold that much
| personal information
| hi-v-rocknroll wrote:
| Every American voter could call and/or write physical letters
| to their representatives to express their displeasure about the
| lack of purchase, web, and financial data and telco metadata
| privacy rights.
|
| https://www.commoncause.org/find-your-representative/
| hi-v-rocknroll wrote:
| Ouch. Perhaps they still have records of doctor incompetence when
| they nearly killed me at birth at their demolished Santa Clara
| location. KP is a good deal when or if you are healthy but not so
| great if you aren't.
| nikolay wrote:
| It's always the SOC 2 and HIPAA-compliant companies that get
| breached, but, of course, mostly compliant companies are
| lucrative targets.
| bearjaws wrote:
| It's because HIPAA is a joke and SOC2 is basically the bare
| minimum at this point.
|
| Too many little ways to manipulate your artifacts to pass SOC2
| and no accountability when it goes wrong.
| gopher_space wrote:
| Sat in a hospital room with a relative for two weeks and saw
| staff repeatedly violate compliance directives in order to
| provide timely care. They clearly weren't being provided the
| resources needed to do so.
|
| Also, for the entrepreneurs out there, they seem to really
| need some kind of tubing that won't collect air bubbles.
| Something with a hydrophobic interior? I don't know. There's
| a related area regarding flushing IV systems that could use
| attention as well.
| xyst wrote:
| Anyone that has worked in a sector where technology is often a
| second tier citizen or after thought knows these types of
| breaches are inevitable.
|
| Hospitals. Banks. Airline industry.
|
| The shit I have seen in just these industries made me think twice
| about having my private information held here.
|
| Of course, the "IT" is often outsourced or "in sourced" (often
| juniors fresh out of college). Thus simple shit such as network
| segmenting production and development environments; and limiting
| access to production databases/assets is nonexistent.
|
| I remember working in an airline where the backend systems were
| still running on outdated mainframe systems. Nobody had a clue
| how the existing mainframe systems worked. No documentation. Only
| poorly maintained support docs on how to keep it running. I ended
| up silent quitting after 3 months because management kept
| shutting down all of my initiatives to improve ops and quality.
| This company later had a massive meltdown. I wasn't surprised and
| just glad I wasn't subpoenaed.
| cnj wrote:
| > The data exposure was discovered following an internal
| investigation conducted voluntarily by Kaiser Permanente. The
| company discovered that online trackers used on its websites and
| mobile applications were transmitting certain types of personal
| data when users interacted with its services.
|
| I have respect for the individuals that started this
| investigation, and the ones that made sure this is publicly
| disclosed. This could have easily been swept under the carpet.
|
| Actually, that they uncovered this on their own and publicly
| disclosed it sounds like they have an above-average privacy
| culture in place.
|
| I know the odds that the person(s) who kicked off this
| investigation are reading this comment are very low, but if so:
| Kudos, well done!
| shreezus wrote:
| None of this surprises me one bit. I have worked in the health
| space for several years, and I have personally seen the inner
| workings of several insurers and the manmade horrors within.
|
| It blows my mind that these multibillion dollar institutions are
| so poorly managed on the technology/IT front. I think _most
| people_ will have their health data likely leaked at some point.
| peteradio wrote:
| > I think most people will have their health data likely leaked
| at some point.
|
| Just don't go to the hospital or in any other way involve your
| system with the InsuroServo complex. Problem solved!
| mleonhard wrote:
| I reported this to Kaiser on 2021-11-22, in support case number
| 53710772. Below is the content of the ticket I filed. I didn't
| follow-through on disclosure. Now I wish I had, since they could
| have fixed this problem faster instead of taking 2.5 years.
|
| I am still a satisfied Kaiser customer.
|
| ----
|
| Hi KP.org Team,
|
| Just now, I logged into KP.org. Something was loading slowly, so
| I viewed the network requests the website was making. I was
| surprised to see requests to Google, Adobe, Bing, Qualtrics,
| BTTag.com, and Unpkg.com. A request to Google includes info
| intended to de-anonymize my computer: time, IP addr, device type,
| display size, browser window size, timezone, and others. These
| requests occur even while reading messages with my doctor!
|
| The page loads JavaScript from Adobe, Bing, Google, and
| Qualtrics. People who control those companies' servers can read
| my confidential messages. Adobe has a track record of
| incompetence in IT security.
|
| Please review your decision to make KP.org load external code and
| trackers. If you do not respond by 2022-01-14 (90 days), I will
| disclose this information to privacy-oriented media organizations
| and HHS.gov. I saved screenshots for this purpose.
|
| Sincerely, Michael
| ewhanley wrote:
| That's pretty gross. Why would a hospital/healthcare system
| even need all that tracking? They don't make enough from their
| primary business that they also need to sell patient data for
| advertising? I would guess some dev just slapped on a bunch of
| boilerplate that so many other projects use and called it a
| day.
| adolph wrote:
| Login page still loads up Adobe and Qualtrics. Maybe KP has BAA
| with those services?
|
| URL (gets redirected):
| https://healthy.kaiserpermanente.org/consumer-sign-on
|
| If one had a list of patient portals[0], what would be the
| simplest way to check each for 3rd party trackers? Use
| Selenium? 0. curl -s
| "https://www.mychart.org/LoginSignup" | grep 'JSON.par' | sed
| -e 's;^.*JSON.parse('\'';;' -e 's;'\'').*$;;' | jq
| '.Customers[].LoginUrl' | tr -d '"'
| jmholla wrote:
| Is this a HIPPA violation?
| wahoo324 wrote:
| I wonder if they had CSP and intentionally bypassed or they
| didn't have CSP at all.
| nextworddev wrote:
| So much for hipaa
| slater wrote:
| There's something seriously wrong with the KP web department.
| Their current site is a slow, buggy mess that regularly locks up
| for no discernible reason on my system (M2 Air, latest Firefox
| and macOS). Just the other day I had to nuke all the cookies to
| log in again, because the site got itself in a login loop ("the
| website isn't redirecting properly").
___________________________________________________________________
(page generated 2024-04-26 23:01 UTC)