Utah Medicaid Clients Hit by Huge Data Breach
This story was updated at 3:30 p.m. on Tuesday (April 10) with estimates that a total of 780,000 people may have been affected. See the end of the story for the updated material.
Hackers infiltrating a server at the Utah Department of Technology Services made off with the personal information of more than 180,000 Medicaid and Children's Health Insurance Plan recipients, nearly half of the state's total clients.
Tied to the 181,604 compromised records on the breached DTS server were the Social Security numbers for 25,096 people, the Salt Lake City Tribune reported. The hackers, who breached the insufficiently protected server on March 30, are believed to be Eastern European.
The 24,000 files stolen contained the personally identifiable information of more than 180,000 clients, which means that information about roughly 60 percent of Utah's total Medicaid and CHIP claimants was compromised.
In a statement issued Friday (April 6), the Utah Department of Health, which is responsible for the DTS, said it is notifying the affected clients, with top priority given to those whose Social Security numbers were jeopardized.
"We understand clients are worried about who may have accessed their personal information, and that many of them feel violated by having their information compromised," UDOH deputy director Michael Hales said. "But we also hope they understand we are doing everything we can to protect them from future harm."
The cyberattack was made possible by a configuration error in the server at the password-authentication level. Hales told the Tribune he is aware of the employee who put the server online without first properly securing it, but believes it was just a mistake.
UPDATE: Later Monday (April 9), the Utah Department of Health drastically revised its estimates of the number of people affected.
"It is now believed that a total of approximately 280,000 victims had their Social Security numbers stolen and approximately 500,000 other victims had less-sensitive personal information stolen," read an announcement on the Department of Health's website.
"The victims are likely to be people who have visited a health care provider in the past four months. Some may be Medicaid or CHIP recipients; others are individuals whose health care providers were unsure as to their status as Medicaid recipients."
Assuming that there are few duplicates between the two groups of victims, it appears that about 27 percent of Utah's population may be affected.
The Department of Health said that everyone whose Social Security number was compromised would get one year of free credit monitoring. It suggested that anyone who feels they might be involved visit http://idtheft.utah.gov to learn more about protecting their identity and financial data.