Medicaid hacked: over 181,000 records and 25,000 SSNs stolen

Medicaid hacked: over 181,000 records and 25,000 SSNs stolen

Summary: The Utah Department of Health has been hacked. 181,604 Medicaid/CHIP recipients have had their personal information stolen. 25,096 have had their Social Security numbers (SSNs) compromised.


Update - Medicaid hack update: 500,000 records and 280,000 SSNs stolen

The Utah Department of Technology Services (DTS) notified the Utah Department of Health (UDOH) on Monday the server that houses Medicaid claims was hacked. On Wednesday, the UDOH publicly announced the breach. On Friday, DTS revealed the damage: 181,604 Medicaid and Children's Health Insurance Plan (CHIP) recipients had their personal information stolen. Of those, 25,096 appear had their Social Security numbers (SSNs) compromised.

The agency is cooperating with law enforcement in a criminal investigation. The hackers, who are believed to be located in Eastern Europe, breached the server in question on March 30, 2012.

On Wednesday, the DTS said information was accessed from approximately 24,000 claims. It turned out the hackers had made off with 24,000 files, and one single file can potentially contain claims information on hundreds of individuals. On Friday, the DTS thus confirmed the number of Medicaid clients affected was actually 181,604.

Claims stored on servers like the one that experienced the breach can include client names, addresses, birth dates, SSNs, physician's names, national provider identifiers, addresses, tax identification numbers, and procedure codes designed for billing purposes.

DTS had recently moved the claims records to a new server, which had a configuration error at the authentication level, allowing hackers to circumvent the security system. DTS says it shut down the affected server, implemented new security measures, is reviewed every server in the state to ensure proper security measures are in place, identified where the breakdown occurred, and has implemented new processes to ensure this type of breach will not happen again.

The UDOH will be reaching out to clients whose personal information was stolen during the attack, with priority being placed on those clients whose SSNs were compromised – the latter group will receive free credit monitoring services for one year. In the meantime, the UDOH is advising all Medicaid clients to monitor their credit and bank accounts.

"We understand clients are worried about who may have accessed their personal information, and that many of them feel violated by having their information compromised," UDOH Deputy Director Michael Hales said in a statement. "But we also hope they understand we are doing everything we can to protect them from further harm."

Update - Medicaid hack update: 500,000 records and 280,000 SSNs stolen

See also:

Topics: Banking, Enterprise Software, Government, Government US, Health, Security, Servers

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Whoever did this was twisted

    Most people using these services are retired. Going after them for ill-gotten gains is about as twisted as things get.
    • Medicare vs. Medicaid

      Medicare is for seniors, not Medicaid. Although seniors might use Medicaid, these hacks were after children and adult accounts.
      • And a Microsoft server is an easy target as usual

      • Medicare/Medicaid

        Thank Heaven Medicare in Australia covers everyone
        Have no Idea how it works in the USA but seems pretty dreadful by the sounds of it
    • Senior people are 10 times more likely to have their identity stolen

      Senior people are 10 times more likely to have their identity stolen than any other group. They are also the #1 target for most type of scams (including phone and Nigerian scams).

      Even with your confusion about Medicaid, that fact is still (sadly) true. Human garbage does not care that they person is an old grandma or grandpa. All they care is that they are an easy target.
    • Just what I was thinking Hypno Toad72,

      And this is just lower than low, taking away from these people that don't have that much anyway. I hope they can catch them and make an example of them.

      And that goes for all you Spammers out there as well!!!
    • While I don't disagree with that

      the fact is that scammers always go after the most vulnerable. Therefore corporations and especially the government have no excuse to allow for such security breaches. They KNOW these records are a primary target.
      Michael Kelly
  • I see these types of articles almost daily now.

    I see these types of articles almost daily now. I wonder how long it will be until everyone has had his/her information compro
  • I see these types of articles it seems almost daily now.

    I have to wonder how long it will be until everyone has had his/her information compromised at least once. Sorry my previous post fired before I was finished.
    • Do they not check, and then re-check settings on these servers

      before they are placed online, as the article points out that they [i]moved the claims records to a new server, [b]which had a configuration error at the authentication level, allowing hackers to circumvent the security system[/b][/i]

      With the amount of money at the government's disposal, I have to wonder how they could have missed an issue like this.
      Tim Cook
      • For some reason

        They always feel it is cheaper to fix than test......
      • Not always true...

        Remember this is at the state level. I've worked for state government (not in Utah) and I can tell you that what frequently happens is state agencies are very often handed a mandate to do something from the legislature with no funding associated with it...hence the term "unfunded mandate". Some poor shmoe IT guy at the responsible agency gets handed this mandate with instructions to "make it happen" without any resources to do so and has to patch something together on a shoe string. Then everyone blames him if anything goes wrong.
      • Happens everywhere

        There are dozens if not hundreds of private corporations also being hacked every month. Just because this time it might be some fraction of YOUR money involved, you bitch and whine about it.

        Sure, a dumb mistake was made. However, mistakes can and do happen. Whatever job (if you work) that you do, I am sure you have made the occasional mistake. I know that I have made my share.

        Rather than relying on individuals to always "do the right thing" which you are implying, we need to build systems in layers, so a single misconfigured server cannot (by itself) be compromised. If the rules explicitly mandate that data be stored in a silo with so many layers of protection, then the poor IT shmoe who gets asked to store the data can turn round and REQUIRE the necessary stuff to make it happen according to the rules.
  • exactly

    IF you are still getting hacked by something other than a 0day exploit after this much amount of time has passed and media, you are just lazy. Oh wait, that's just IT budget cuts kicking in. By now there should be no excuse and company's should be going out of there way to make sure critical information is secured.
    • First thing to go is IT

      I was laid off by my company (both me and my colleague we were the.only IT they had) due to financial troubles. How foolish I'm sure they feel, not even two weeks later they were hacked cuz no one knew how to keep things running. Companies foolishly cut IT at first sign of any financial woes cuz they don't see us as money makers, true but we are just as important because we protect the companies digital assets and enable the money makers to continue forward, which is the foolish oversight so many hasty execs make.
  • Marc Jacobs handbags

    Consistent with a fabulous statement, [url=]Marc Jacobs handbags[/url] there is beyond 310 zillion Chinese language program learning Everyday terms, [b][url=]Marc by Marc Jacobs bags[/url][/b] beyond all the complete populations about the u . s. [url=]Marc by Marc Jacobs dress[/url] still, all the Chinese language program ought to attempt difficult to make sure you [b][url=]Marc by Marc Jacobs handbags[/url] [/b]enhance all the general ordinary [url=]Marc by Marc Jacobs Bianca Motorola clutch Brown[/url] about Everyday terms.
  • Health Insurance

    So as I say, I wake up every morning, thankful that I have exceptional health insurance coverage I found through "Penny Health" for my family because it gives me peace of mind knowing that my family can count on me to deliver their health care needs.
    • Until

      Yeah sure! Until you need to use it! You get what you pay for!
  • TF&ITW

    Empire of technological blogs TF&IT is looking for new staff ( posts writers ) or you can add to the partnership program and earn 30% of the profits from advertising.??
    J.M. USA
  • URGENT: Put Utah in the headline, PLEASE!!!

    Yes, I'm visually impaired and I have a Medicaid card and since gotten a Medicaid in Florida, I'm unsure if Florida Department of Health have been hacked before.
    Grayson Peddie