A cyber attack on the Utah Department of Health (UDOH), perpetrated thanks to a misconfigured server, was worse than originally feared.
The server breach, which initially was believed to have compromised 24,000 individual Medicaid claims, actually impacted that many records, according to an updated news release, issued Friday. Contained in those records was the personal information of 181,604 people.
Included are not just Medicaid recipients, but also clients of the Children’s Health Insurance Plan (CHIP). More than 25,000 victims had their Social Security numbers (SSNs) exposed.
UPDATE: The number of victims has risen even higher. On Monday, UDOH published a new update, saying now that an additional 255,000 people had their SSNs stolen in the heist. The data of these individuals was sent to the state by their doctor as part of a “Medicaid Eligibility Inquiry” to determine their status as recipients of the free or low-cost national health insurance.
The release also states that another 350,000 people listed in the eligibility inquiries may have had other sensitive data lifted, including names, birth dates and addresses.
The tally now sits at 280,000 people whose Social Security numbers were involved in the breach, and another 500,000 who also lost personal information.
Some of the 255,000 SSNs were not connected to any name, thereby reducing the risk of identity theft.
“We understand clients are worried about who may have accessed their personal information, and that many of them feel violated by having their information compromised,” UDOH Deputy Director Michael Hales said. “But we also hope they understand we are doing everything we can to protect them from further harm.”
Attackers were able to compromise the server because an authorization component was not configured properly.
The state’s Department of Technology Services “has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure.” The agency plans to bolster its controls with additional networking monitoring and intrusion detection functionality.
UDOH is beginning to notify affected individuals by mail, starting first with those whose Social Security numbers were involved. The agency will provide them with one year of free credit monitoring services.
Officials previously said they believe the hackers operated out of Eastern Europe.