Study: Utah Health Breach Could Approach $406M
A 2012 security breach that exposed the personal information of 780,000 Utah residents to hackers could cost as much as $406 million, a new study finds.
The Salt Lake Tribune reports in the aftermath of the breach, the state already has spent about $9 million on security audits, upgrades and credit monitoring for victims.
Consumers will shoulder less than a quarter of the $406 million total loss, the research group predicts. The rest will hit retailers and banks coping with the fallout of fraud schemes set in motion by the breach.
The findings come from a consumer survey used to produce a yearly identity theft report. The firm inherited that task from the Federal Trade Commission.
“The bad guys are getting better at using this information,” said Al Pascual, an analyst at Javelin Strategy & Research, which conducted the review. “They are not just Dumpster diving or looking in your mailbox.”
The breach came in late March 2012, after a technician placed the state’s Medicaid server online without changing the factory password.
Hackers broke into the server and downloaded the personal information of the 780,000 Utah residents.
The breach affected some Utah residents on Medicaid, some who were privately insured and others who were uninsured. It also affected retirees on Medicare whose providers had sent patient information to Medicaid.
About 280,000 Social Security numbers whose owners were exposed in the breach, the analysis found. Those people are most at risk because hackers can use those numbers to access bank accounts, change online passwords and open up new lines of credit.
One in four data breach victims fall subject to fraud on average as hackers become more adept at prying into digital files, Pascual said. So far, at least 10 breach victims have reported instances of fraud, health department records show.
An estimated 122,000 victims of the breach are likely to fall prey to identity theft because of the breach, the study reports. Each of those victims will spend an average of nearly 20 hours and about $770 resolving the fraud, Javelin predicts.
Of the $9 million that the state already has spent, $3.4 million of that came from the Department of Health. It spent $467,000 to hire an ombudsman, operate a hotline, run ads and hold community meetings. It set aside $1.9 million to provide two years of credit monitoring for those whose Social Security numbers were compromised.
Other funds went toward a legal consultant, forensic security audit and the creation of an office to monitor the security of health information.
The Department of Technology Services spent another $1.2 million on a security review of state servers.
In March, the Legislature also set aside $4.4 million for security upgrades, according to the agency’s spokeswoman, Stephanie Weiss.