Number of victims in state of Utah breach significantly rises

Share this article:
A cyber attack on the Utah Department of Health (UDOH), perpetrated thanks to a misconfigured server, was worse than originally feared.

The server breach, which initially was believed to have compromised 24,000 individual Medicaid claims, actually impacted that many records, according to an updated news release, issued Friday. Contained in those records was the personal information of 181,604 people.

Included are not just Medicaid recipients, but also clients of the Children's Health Insurance Plan (CHIP). More than 25,000 victims had their Social Security numbers (SSNs) exposed.

UPDATE: The number of victims has risen even higher. On Monday, UDOH published a new update, saying now that an additional 255,000 people had their SSNs stolen in the heist. The data of these individuals was sent to the state by their doctor as part of a "Medicaid Eligibility Inquiry" to determine their status as recipients of the free or low-cost national health insurance.

The release also states that another 350,000 people listed in the eligibility inquiries may have had other sensitive data lifted, including names, birth dates and addresses.

The tally now sits at 280,000 people whose Social Security numbers were involved in the breach, and another 500,000 who also lost personal information.

Some of the 255,000 SSNs were not connected to any name, thereby reducing the risk of identity theft.
“We understand clients are worried about who may have accessed their personal information, and that many of them feel violated by having their information compromised,” UDOH Deputy Director Michael Hales said.  “But we also hope they understand we are doing everything we can to protect them from further harm.”

Attackers were able to compromise the server because an authorization component was not configured properly.

The state's Department of Technology Services "has processes in place to ensure the state's data is secured, but this particular server was not configured according to normal procedure." The agency plans to bolster its controls with additional networking monitoring and intrusion detection functionality.

UDOH is beginning to notify affected individuals by mail, starting first with those whose Social Security numbers were involved. The agency will provide them with one year of free credit monitoring services.

Officials previously said they believe the hackers operated out of Eastern Europe.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

LEADS Act addresses gov't procedure for requesting data stored abroad

LEADS Act addresses gov't procedure for requesting data ...

Senators introduced the legislation last week as a means of amending the Electronic Communications Privacy Act (ECPA).

Report: Intrustion prevention systems made a comeback in 2013

Report: Intrustion prevention systems made a comeback in ...

A new report indicates that intrusion prevention systems grew 4.2 percent in 2013, with growth predicted to continue.

Mobile device security sacrificed for productivity, study says

Mobile device security sacrificed for productivity, study says

A Ponemon Institute study, sponsored by Raytheon, revealed that employees increasingly use mobile devices for work but cut corners and circumvent security.