Victim list in Utah medical-records hack grows to 780,000

The number of people who had personal information stolen in a hack of a server containing medial information in Utah continues to escalate, with state officials now saying that as many as 780,000 people had their information compromised.

Up to 280,000 of those people had their Social Security numbers stolen in the March 30 hack, which originated in Eastern Europe, Utah’s departments of Technology Services (DTS) and Health (UDOH) said in an update. Less sensitive information including names, birth dates and addresses on another 500,000 others also was accessed.

The number of victims, who were enrolled in either Medicaid or Children’s Health Insurance Plan programs, has grown steadily since Utah first reported the breach April 4.

Related stories:

Best defense? Start by admitting hackers will get in anyway.

HHS publishes online list of patient data breaches

At first, DTS said it appeared that hackers took information on 24,000 Medicaid recipients, but in an update several days later the department said the hackers actually had taken 24,000 files, each of which can contain information on hundreds of cases. Those files also contained records on CHIP recipients, boosting the total number of people known at the time to be affected to 181,604, about 25,000 of whom had their Social Security numbers taken.

The most recent update, issued April 9, revealed that an additional 255,000 people had their Social Security numbers stolen. The victims' health-care providers had sent their information to the state as part of a Medicaid Eligibility Inquiry, an electronic transaction in which they ask about benefits.

Also added to the total were another 350,000 who may have had less-sensitive information taken, UDOH said.

DTS has started identifying the victims, and Utah will contact them — starting with those who had Social Security numbers stolen — advising them of the hack and offering advice on how to protect themselves, according to the update. People who had their Social Security numbers stolen will also receive a year of free credit monitoring.

However, Utah officials warned victims that DTS or UDOH would not contact them by phone or e-mail and that any such calls or messages asking for personal information would likely be part of a scam.

DTS said a configuration error at the password authentication level left the server vulnerable, and hackers were able to get around its security system. The problem has been corrected, and DTS said it is is increasing its security measures.

DTS and UDOH said they are continuing their investigation and cooperating with local police and the FBI on the case.

Meanwhile, Medicaid recipients can find out whether their information was stolen by calling 1-855-238-3339.

About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.


  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

  • Marines on patrol (US Marines)

    Using AVs to tell friend from foe

    The Defense Advanced Research Projects Agency is looking for ways autonomous vehicles can make it easier for commanders to detect and track threats among civilians in complex urban environments without escalating tensions.

Stay Connected