Hackers steal medical records on 181,000 from Utah server

Hackers apparently operating in Eastern Europe broke into a Utah Department of Technology Services server used to store medical data and stole personal information on 181,604 people, the state’s Department of Health reported.

The attack, which took place March 30, netted information on Medicaid and Children’s Health Insurance Plan recipients, UDOH said in an update on the breach. About 25,000 of those recipients had their Social Security numbers compromised.

The department initially reported the breach April 4, saying that information on about 24,000 Medicaid recipients had been taken. In the more recent update, it said its investigation showed that CHIP recipient data also had been taken.


Related stories:

Best defense? Start by admitting hackers will get in anyway.

To hackers, government users are phish in a barrel


The Department of Technology Services said it at first appeared that the hackers took 24,000 claims, but in fact they removed 24,000 files, each one of which can contain information on hundreds of individuals. DTS said the hackers appeared to be operating out of Eastern Europe but provided no further details.

DTS said the hackers took advantage of a configuration error at the authentication level of the server’s multilayer security system. The department has identified the breakdown and implemented corrective measures, and it is taking steps to improve its hardware and software security, according to the state’s announcement.

UDOH said it will begin contacting the people involved, starting with those whose Social Security numbers may have been compromised. They’ll get a letter with instructions on how to take advantage of free credit monitoring for a year. Others will receive instructions on how to protect themselves, UDOH said.

Recipients who have online access to their information via a My Case account with the state also will receive an e-mail notification and will have information on the breach posted to their accounts.

"We understand clients are worried about who may have accessed their personal information, and that many of them feel violated by having their information compromised," UDOH Deputy Director Michael Hales said in the department’s announcement. "But we also hope they understand we are doing everything we can to protect them from further harm."

UHOH and DTS are continuing their investigation and said they will continue to issue updates. Medicaid clients can call 1-800-662-9651 to get more information on how to protect themselves and their identities.


About the Author

Kevin McCaney is editor of Defense Systems. Follow him on Twitter: @KevinMcCaney.

Reader Comments

Tue, Apr 10, 2012

Doesn't HIPAA require medical records at rest to be encrypted?

Tue, Apr 10, 2012

So all the hackers have to do is wait a year for the "protection" to expire and then then have free reign over our identity. Some compromise. More needs to be done.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above