Number of victims in state of Utah breach significantly rises

Share this article:
A cyber attack on the Utah Department of Health (UDOH), perpetrated thanks to a misconfigured server, was worse than originally feared.

The server breach, which initially was believed to have compromised 24,000 individual Medicaid claims, actually impacted that many records, according to an updated news release, issued Friday. Contained in those records was the personal information of 181,604 people.

Included are not just Medicaid recipients, but also clients of the Children's Health Insurance Plan (CHIP). More than 25,000 victims had their Social Security numbers (SSNs) exposed.

UPDATE: The number of victims has risen even higher. On Monday, UDOH published a new update, saying now that an additional 255,000 people had their SSNs stolen in the heist. The data of these individuals was sent to the state by their doctor as part of a "Medicaid Eligibility Inquiry" to determine their status as recipients of the free or low-cost national health insurance.

The release also states that another 350,000 people listed in the eligibility inquiries may have had other sensitive data lifted, including names, birth dates and addresses.

The tally now sits at 280,000 people whose Social Security numbers were involved in the breach, and another 500,000 who also lost personal information.

Some of the 255,000 SSNs were not connected to any name, thereby reducing the risk of identity theft.
“We understand clients are worried about who may have accessed their personal information, and that many of them feel violated by having their information compromised,” UDOH Deputy Director Michael Hales said.  “But we also hope they understand we are doing everything we can to protect them from further harm.”

Attackers were able to compromise the server because an authorization component was not configured properly.

The state's Department of Technology Services "has processes in place to ensure the state's data is secured, but this particular server was not configured according to normal procedure." The agency plans to bolster its controls with additional networking monitoring and intrusion detection functionality.

UDOH is beginning to notify affected individuals by mail, starting first with those whose Social Security numbers were involved. The agency will provide them with one year of free credit monitoring services.

Officials previously said they believe the hackers operated out of Eastern Europe.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.