The Utah Department of Technology Services (DTS) notified the Utah Department of Health (UDOH) on Monday the server that houses Medicaid claims was hacked. On Wednesday, the UDOH publicly announced the breach. On Friday, DTS revealed the damage: 181,604 Medicaid and Children's Health Insurance Plan (CHIP) recipients had their personal information stolen. Of those, 25,096 appear had their Social Security numbers (SSNs) compromised.
The agency is cooperating with law enforcement in a criminal investigation. The hackers, who are believed to be located in Eastern Europe, breached the server in question on March 30, 2012.
On Wednesday, the DTS said information was accessed from approximately 24,000 claims. It turned out the hackers had made off with 24,000 files, and one single file can potentially contain claims information on hundreds of individuals. On Friday, the DTS thus confirmed the number of Medicaid clients affected was actually 181,604.
Claims stored on servers like the one that experienced the breach can include client names, addresses, birth dates, SSNs, physician's names, national provider identifiers, addresses, tax identification numbers, and procedure codes designed for billing purposes.
DTS had recently moved the claims records to a new server, which had a configuration error at the authentication level, allowing hackers to circumvent the security system. DTS says it shut down the affected server, implemented new security measures, is reviewed every server in the state to ensure proper security measures are in place, identified where the breakdown occurred, and has implemented new processes to ensure this type of breach will not happen again.
The UDOH will be reaching out to clients whose personal information was stolen during the attack, with priority being placed on those clients whose SSNs were compromised – the latter group will receive free credit monitoring services for one year. In the meantime, the UDOH is advising all Medicaid clients to monitor their credit and bank accounts.
"We understand clients are worried about who may have accessed their personal information, and that many of them feel violated by having their information compromised," UDOH Deputy Director Michael Hales said in a statement. "But we also hope they understand we are doing everything we can to protect them from further harm."