Utah Medicaid patients affected by second breach in year

An unencrypted USB device containing the sensitive information of 6,000 Utah Medicaid recipients has gone missing – making it the second breach to affect the Utah Department of Health (UDOH) in a year.

How many victims? 6,000.

What type of personal information? Names, ages, Medicaid identification numbers, and recent history of prescription drug use.

What happened? Last Thursday, an employee for Augusta, Maine-based contractor Goold Health Systems (GOH), which processes Medicaid pharmacy transactions for UDOH, lost a USB device while traveling among Salt Lake City, Denver and Washington, D.C. 

What was the response? The Office of the Inspector General for Medicaid Service will monitor any suspicious activity involving Medicaid enrollees. The Office of the Health Data Security Ombudsman will be responsible for helping victims, who will also receive notification letters from UDOH over the next several days.

Details: The employee saved the data to a USB drive after having issues uploading a report to a secure file server.

In another incident last April, hackers breached a UDOH server and stole sensitive information of around 780,000 Medicaid recipients and Children's Health Insurance Program participants, which led to the firing of the head of Utah's Department of Technology Services Stephen Fletcher. About 280,000 Social Security numbers also were accessed in the breach.

Quote: “We believe the potential risk for identity theft [due to the latest breach] is minimal,” Utah Medicaid Director Michael Hales said Wednesday in a statement. “Further, we have no reason to believe the data were targeted by anyone to be used for malicious purposes. Nevertheless, we understand the anxiety this will likely cause and want clients to know we are taking all reasonable precautions to ensure the missing data cannot be used to harm individual clients or defraud the Medicaid program.”