Monday, April 9, 2012

UTAH DTS Breach Larger Than First Reported (up to 630,000)

UPDATED: 4/10--- Latest Information:
The Utah Department of Technology Services (DTS), along with the Utah Department of Health (UDOH) today announced up to 255,000 additional people had their Social Security numbers listed in data stolen by thieves from a computer server last week.These latest victims are people whose information was sent to the state by their health care provider in a transaction called a Medicaid Eligibility Inquiry to determine their status as possible Medicaid recipients.

The victims are likely to be people who have visited a health care provider in the past four months.Some may be Medicaid or CHIP recipients; others are individuals whose health care providers were unsure as to their status as Medicaid recipients.

DTS has started the process of identifying these additional victims, and the state will be sending letters directly to them as they are identified.Some of the 255,000 Social Security numbers were not accompanied by any other indentifying information (such as names and addresses), so DTS will likely need to coordinate with other agencies to identify and notify these individuals.

Victims who had their SSNs stolen will receive one year of free credit monitoring services.There are additional steps anybody can take to help protect their identity and their financial information.This includes placing either a freeze or a fraud alert on their personal credit file with the nation’s three credit bureaus.For information on how to do this, visit

As many as 350,000 additional people may have had other, less-sensitive information, such as their names, birth dates, and addresses accessed through eligibility inquiries.These people will also receive a letter alerting them to the situation.However, priority will be placed on alerting those who had their Social Security numbers stolen first.

It is now believed that a total of approximately 280,000 victims had their Social Security numbers stolen and approximately 500,000 other victims had less-sensitive personal information stolen.
FRIDAY, April 6:
Salt Lake City, UT) – A cyber attack on a Utah Department of Technology Services (DTS) computer server that stores Medicaid claims data now appears to have affected far more recipients than originally believed. In addition to Medicaid clients, the breach also involved information from Children’s Health Insurance Plan (CHIP) recipients.

As part of its on-going investigation into the attack, DTS today reported to the Utah Department of Health (UDOH) that approximately 181,604 Medicaid and CHIP recipients had their personal information removed from the server. Of those individuals, 25,096 appear to have had their Social Security numbers compromised.

The UDOH will immediately begin reaching out to clients whose personal information was stolen during the attack, with priority being placed on those clients whose Social Security numbers were jeopardized. Those clients will receive a letter in the mail instructing them on how to take advantage of free credit monitoring services for one year.

Initially, it appeared as though the hackers who broke into the server were able to remove 24,000 claims. However, as the investigation progressed, DTS determined the thieves actually removed 24,000 files. One single file can potentially contain claims information on hundreds of individuals.

DTS servers have multi-layered security systems that include many controls, including: perimeter security, network security, identity management, application security, and data security. In this particular incident, a configuration error occurred at the authentication level, allowing the hacker to circumvent the security system. DTS has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure.

DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again. Additional steps are being implemented to improve security controls related to the implementation of computer hardware and software, as well as increased network monitoring and intrusion detection capabilities.

The investigation into the breach of the server is ongoing, and the two agencies will continue to update the public with any further developments.
APRIL 4, 2012:
(Salt Lake City, UT) – The Utah Department of Technology Services (DTS) notified the Utah Department of Health (UDOH) Monday evening of an information breach on a DTS server that houses Medicaid claims. The initial breach appears to have taken place on Friday, March 30. During the breach, information was accessed from approximately 24,000 claims.

DTS is investigating to determine how many individual Medicaid clients may have been affected, and what personal information may have been compromised. Typically, claims stored on servers like the one that experienced the breach could include client names, addresses, birth dates, Social Security numbers, physician’s names, national provider identifiers, addresses, tax identification numbers, and procedure codes designed for billing purposes
MIAOULIS NOTE: DTS servers have multi-layered security systems, but did not have encryption.  Learn from other's mistakes.  Could this happen at your organization?  Why not? 
This keeps growing and is interesting to watch.  From 24,000 claims to 24,000 files to 280,000 folks with SSN and an additional 350,000 people.  Stay tuned.

No comments: