Number of victims in state of Utah breach significantly rises

Share this article:
A cyber attack on the Utah Department of Health (UDOH), perpetrated thanks to a misconfigured server, was worse than originally feared.

The server breach, which initially was believed to have compromised 24,000 individual Medicaid claims, actually impacted that many records, according to an updated news release, issued Friday. Contained in those records was the personal information of 181,604 people.

Included are not just Medicaid recipients, but also clients of the Children's Health Insurance Plan (CHIP). More than 25,000 victims had their Social Security numbers (SSNs) exposed.

UPDATE: The number of victims has risen even higher. On Monday, UDOH published a new update, saying now that an additional 255,000 people had their SSNs stolen in the heist. The data of these individuals was sent to the state by their doctor as part of a "Medicaid Eligibility Inquiry" to determine their status as recipients of the free or low-cost national health insurance.

The release also states that another 350,000 people listed in the eligibility inquiries may have had other sensitive data lifted, including names, birth dates and addresses.

The tally now sits at 280,000 people whose Social Security numbers were involved in the breach, and another 500,000 who also lost personal information.

Some of the 255,000 SSNs were not connected to any name, thereby reducing the risk of identity theft.
“We understand clients are worried about who may have accessed their personal information, and that many of them feel violated by having their information compromised,” UDOH Deputy Director Michael Hales said.  “But we also hope they understand we are doing everything we can to protect them from further harm.”

Attackers were able to compromise the server because an authorization component was not configured properly.

The state's Department of Technology Services "has processes in place to ensure the state's data is secured, but this particular server was not configured according to normal procedure." The agency plans to bolster its controls with additional networking monitoring and intrusion detection functionality.

UDOH is beginning to notify affected individuals by mail, starting first with those whose Social Security numbers were involved. The agency will provide them with one year of free credit monitoring services.

Officials previously said they believe the hackers operated out of Eastern Europe.

Share this article:

Sign up to our newsletters

More in News

Incapsula mitigates multi-vector DDoS attack lasting longer than a month

Incapsula mitigates multi-vector DDoS attack lasting longer than ...

Incapsula's scrubbing servers were able to filter out more than 50 petabits of malicious DDoS traffic aimed at a video game company for longer than a month.

UPS announces breach impacting 51 U.S. locations

The shipping and printing provider said malware has been present on some stores' computer systems since mid-January.

'Machete' espionage campaign targets orgs in Venezuela, Ecuador

The campaign targets Spanish speaking victims, which also appears to be the native language of attackers.