Security Experts:

Breach at Utah Department of Health Worse Than Originally Thought

Utah Department of Health Suffers Data Breach Aimed at Medicaid

Update 04/09/12 - On Monday the Utah Department of Health made an addittional update following publication of this story, saying that up to 255,000 additional people had their Social Security numbers listed in data stolen from a computer server last week and as many as 350,000 additional people may have had other, less-sensitive information, such as their names, birth dates, and addresses accessed through eligibility inquiries. It is now believed that a total of approximately 280,000 victims had their Social Security numbers stolen and approximately 500,000 other victims had less-sensitive personal information stolen.

Officials in Utah’s Department of Health (UDOH) alerted parents and patients on Friday to the fact that the data breach disclosed previously was much larger than initially reported. In all, some 181,604 people are affected by the security incident.

The attackers hit a server that stores Medicaid claims and Children’s Health Insurance Plan (CHIP) data. Typically, the UDOH notice explains, claims stored on servers like the one breached could include client names, addresses, birth dates, Social Security numbers, physician’s names, national provider identifiers, addresses, tax identification numbers, and procedure codes designed for billing purposes.

Initially, the Utah Department of Technology Services reported to the UDOH that the breach impacted 24,000 records. “However, as the investigation progressed, DTS determined the thieves actually removed 24,000 files. One single file can potentially contain claims information on hundreds of individuals,” the UDOH said in a statement.

Approximately 181,604 Medicaid and CHIP recipients had their personal information removed from the server, the UDOH clarified. Of those individuals, 25,096 appear to have had their Social Security numbers compromised.

Those impacted by the breach will receive letters explaining what they should do to protect themselves, including identity theft monitoring. In addition, the UDOH will offer one year of free monitoring to the potential victims.

Despite the layered security controls in place within the UDOH network, it is believed that attackers from Eastern Europe were able to exploit authentication and configuration controls in order to pull off the attack.

“In this particular incident, a configuration error occurred at the authentication level, allowing the hacker to circumvent the security system. DTS has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure,” the UDOH statement explained, addressing questions posed after the initial notification concerning how the event occurred.

DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again, the statement added. Additional steps are being implemented to improve security controls related to the implementation of computer hardware and software, as well as increased network monitoring and intrusion detection capabilities.

“We understand clients are worried about who may have accessed their personal information, and that many of them feel violated by having their information compromised. But we also hope they understand we are doing everything we can to protect them from further harm,” commented UDOH Deputy Director Michael Hales.

The investigation into the breach is ongoing the agency said, more information will be made public if it is relevant.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.