Utah Breach Affects 25,000 Social Security Numbers

April 9, 2012 by

Utah health officials said that hackers who broke into state computers last weekend stole far more medical records than originally thought, and the data likely includes Social Security numbers of children who have received public assistance.

Approximately 182,000 beneficiaries of Medicaid and the Children’s Health Insurance Program had their personal information stolen, and about 25,000 Social Security numbers were compromised, Utah Department of Health officials said.

Officials originally estimated that about 24,000 people had their records stolen after someone attacked a server beginning March 30. But the culprit actually downloaded 24,000 files, and each file contained hundreds of records, said Stephanie Weiss, spokeswoman for the Utah Department of Technology Services.

The information was stolen from a new server at the Health Department, Weiss said. Although the state has multiple layers of security on every server, a technician installed a password that wasn’t as secure as needed.

“We understand clients are worried about who may have accessed their personal information, and that many of them feel violated by having their information compromised,” said Michael Hales, deputy director of the Health Department. “But we also hope they understand we are doing everything we can to protect them from further harm.”

Clients whose information was stolen will be alerted, with the first priority being those whose Social Security numbers were taken, Health Department spokesman Tom Hudachko said. The department is offering free credit monitoring for a year to anyone who information was stolen and has established a hotline for concerned clients to call.

There is no way to narrow down the potential victims to a specific area of the state because the claims come from clinics throughout Utah, Hudachko said. Also, because providers have up to a year to file a claim, it is difficult to even narrow it down to recent patients.

While the investigation is ongoing, Hudachko said the department is recommending that every Medicaid client monitor credit reports, bank accounts and other areas the hackers could target with the information.

Monitoring financial accounts and credit reports is an important first step, but somebody who knows their identity has been stolen should also alert the three credit bureaus about potential fraud, said Kirk Torgensen, a chief deputy with the Utah attorney general’s office who specializes in identity theft.

Protecting children can be more difficult, since they will normally not have a credit report, credit cards or bank accounts to monitor. To assist parents, the state has partnered with the credit bureau TransUnion to provide a way for a child’s Social Security number to be registered and their credit essentially frozen until they are old enough to need it.

The website, http://www.idtheft.utah.gov , also allows victims of fraud to file an affidavit that will reduce the amount of time – sometimes hundreds of hours – that identity theft victims have to spend fixing their credit.

Based on the hacker’s IP address, which identifies a computer on the Internet, Utah’s recent attack likely came from eastern Europe, Weiss said. Someone started downloading the files Sunday, and the server was taken offline Monday after the state’s security software caught the attack.

Attacks on other state servers haven’t been discovered, “but we’re continually reviewing them to make sure they’re secure,” Weiss said.