Utah Health Breach Impact Grows

Investigation Reveals Far More Were Affected
Utah Health Breach Impact Grows

State officials in Utah now say nearly 182,000 Medicaid clients and Children's Health Insurance Plan recipients had their claims data compromised in a recent hacking incident that they originally believed affected only about 24,000 Medicaid claims.

See Also: Mobile Banking and the Digital Experience: How to Protect your Customers

Authorities say that about 25,000 individuals' Social Security numbers were exposed in the data breach, which is believed to involve Eastern European hackers. Those victims will be offered a year's worth of free credit monitoring services.

"Initially, it appeared as though the hackers who broke into the server were able to remove 24,000 claims," according to a statement from the Utah Department of Health. "However, as the investigation progressed, the Utah Department of Technology Services determined the thieves actually removed 24,000 files. One single file can potentially contain claims information on hundreds of individuals."

Hacking incidents are relatively rare in healthcare. Since the HIPAA breach notification rule went into effect in September 2009, only about 7 percent of the more than 400 major breaches reported have involved hacking, Leon Rodriguez, director of the Department of Health and Human Services' Office for Civil Rights, said in a recent presentation.

In what appears to be the largest healthcare hacking incident reported under the breach notification rule, Seacoast Radiology in Rochester, N.H., notified 230,000 patients in January 2011 that their information had been exposed to hackers using a server to gain bandwidth to play a video game.

Hacking Incident Details

In the Utah incident, the compromised information was on a state server managed by the technology services department. "In this particular incident, a configuration error occurred at the authentication level, allowing the hacker to circumvent the security system," according to the Utah Department of Health's statement. "The Department of Technology Services has processes in place to ensure the state's data is secure, but this particular server was not configured according to normal procedure."

Officials have identified where the security breakdown occurred and have "implemented new processes to ensure this type of breach will not happen again," according to the statement. "Additional steps are being implemented to improve security controls related to the implementation of computer hardware and software, as well as increased network monitoring and intrusion detection capabilities."

In an earlier statement, authorities said the technology services department notified the health department April 2 that the data breach occurred March 30. That statement noted that claims may include client names, addresses, birth dates, Social Security numbers, physician's names, national provider identifiers, tax identification numbers and procedure codes designed for billing purposes (see: Hackers Access Medicaid Records).

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network