SALT LAKE CITY (ABC 4 News) – The Utah Department of Health is reporting a Medicaid breach initially reported April 4 is larger than originally thought.
UDOH reported hackers gained access to about 25,000 Medicaid records; further analysis reveals 25,000 Medical files were compromised.
Files contain more personal information putting the patients at a greater risk.
Hackers took social security numbers, home address information and tax information.
Computer forensics traced the hackers i.p. address to an Eastern European country. They broke into Utah’s Medicaid server March 30 but didn’t start extracting information until April 1.
Utah officials discovered the breach the following morning and shut the server down.
UDOH expects to have a complete list of the victims by April 6. It will contact them and offer free credit services.
Utah Department of Health News Release:
Impact of DTS data breach on Medicaid server widens
(Salt Lake City, UT) – A cyber attack on a Utah Department of Technology Services (DTS) computer server that stores Medicaid claims data now appears to have affected far more recipients than originally believed. In addition to Medicaid clients, the breach also involved information from Children’s Health Insurance Plan (CHIP) recipients.
As part of its on-going investigation into the attack, DTS today reported to the Utah Department of Health (UDOH) that approximately 181,604 Medicaid and CHIP recipients had their personal information removed from the server. Of those individuals, 25,096 appear to have had their Social Security numbers compromised.
The UDOH will immediately begin reaching out to clients whose personal information was stolen during the attack, with priority being placed on those clients whose Social Security numbers were jeopardized. Those clients will receive a letter in the mail instructing them on how to take advantage of free credit monitoring services for one year.
Once those clients have been notified, all other affected clients will receive letters with information on how to further protect themselves. Additionally, clients who have signed up for a My Case account (a web portal clients can use to access their accounts) had information on the breach posted to their accounts along with an e-mail notification.
“We understand clients are worried about who may have accessed their personal information, and that many of them feel violated by having their information compromised,” said UDOH Deputy Director Michael Hales. “But we also hope they understand we are doing everything we can to protect them from further harm.”
Initially, it appeared as though the hackers who broke into the server were able to remove 24,000 claims. However, as the investigation progressed, DTS determined the thieves actually removed 24,000 files. One single file can potentially contain claims information on hundreds of individuals.
DTS servers have multi-layered security systems that include many controls, including: perimeter security, network security, identity management, application security, and data security. In this particular incident, a configuration error occurred at the authentication level, allowing the hacker to circumvent the security system. DTS has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure.
DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again. Additional steps are being implemented to improve security controls related to the implementation of computer hardware and software, as well as increased network monitoring and intrusion detection capabilities.
The investigation into the breach of the server is ongoing, and the two agencies will continue to update the public with any further developments.
Concerned Medicaid clients are still encouraged to call 1-800-662-9651 to get more information on how to protect themselves and their identities. This same information can also be found at http://www.health.utah.gov/databreach.
# # #
The mission of the Utah Department of Health is to protect the public's health through
preventing avoidable illness, injury, disability and premature death, assuring access to
affordable, quality health care, and promoting healthy lifestyles.
