Victim list in Utah medical-records hack grows to 780,000

The number of people who had personal information stolen in a hack of a server containing medial information in Utah continues to escalate, with state officials now saying that as many as 780,000 people had their information compromised.

Up to 280,000 of those people had their Social Security numbers stolen in the March 30 hack, which originated in Eastern Europe, Utah’s departments of Technology Services (DTS) and Health (UDOH) said in an update. Less sensitive information including names, birth dates and addresses on another 500,000 others also was accessed.

The number of victims, who were enrolled in either Medicaid or Children’s Health Insurance Plan programs, has grown steadily since Utah first reported the breach April 4.

Related stories:

Best defense? Start by admitting hackers will get in anyway.

HHS publishes online list of patient data breaches

At first, DTS said it appeared that hackers took information on 24,000 Medicaid recipients, but in an update several days later the department said the hackers actually had taken 24,000 files, each of which can contain information on hundreds of cases. Those files also contained records on CHIP recipients, boosting the total number of people known at the time to be affected to 181,604, about 25,000 of whom had their Social Security numbers taken.

The most recent update, issued April 9, revealed that an additional 255,000 people had their Social Security numbers stolen. The victims' health-care providers had sent their information to the state as part of a Medicaid Eligibility Inquiry, an electronic transaction in which they ask about benefits.

Also added to the total were another 350,000 who may have had less-sensitive information taken, UDOH said.

DTS has started identifying the victims, and Utah will contact them — starting with those who had Social Security numbers stolen — advising them of the hack and offering advice on how to protect themselves, according to the update. People who had their Social Security numbers stolen will also receive a year of free credit monitoring.

However, Utah officials warned victims that DTS or UDOH would not contact them by phone or e-mail and that any such calls or messages asking for personal information would likely be part of a scam.

DTS said a configuration error at the password authentication level left the server vulnerable, and hackers were able to get around its security system. The problem has been corrected, and DTS said it is is increasing its security measures.

DTS and UDOH said they are continuing their investigation and cooperating with local police and the FBI on the case.

Meanwhile, Medicaid recipients can find out whether their information was stolen by calling 1-855-238-3339.

About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected