The news out of Utah just keeps getting worse and worse.
Last week, Utah's Department of Health (UDOH) announced that on Friday, the 30th of March, its Department of Technology Services (DTS) had experienced a data breach on a computer server that stores Medicaid and Children’s Health Insurance Program (CHIP) claims data. DTS discovered the breach on Monday, April 2nd, after the hackers started downloading data from the server. In response, DTS immediately shut down the server.
The DTS said that the "information on the server included claims payment and eligibility inquiries. This could include sensitive, personal health information from individuals and health care providers such as Social Security numbers, names, dates of birth, addresses, diagnosis codes, national provider identification numbers, provider taxpayer identification numbers, and billing codes."
When the breach was originally announced to the press last Wednesday, April 4th, UDOH reported that the information stolen involved 24,000 claims, and that the signs pointed to the hackers being from eastern Europe.
However, on the next day, news reports indicated that the breach actually involved 24,000 Medicaid related files. The small change in description was significant. On Friday, UDOH admitted that many of the 24,000 files contained hundreds of records each, which raised the total to some 181,000 beneficiaries with some personal information was stolen. (This included 25,000 Social Security numbers.)
According to an AP story, a DTS spokesperson said:
"Although the state has multiple layers of security on every server, a technician installed a password that wasn't as secure as needed."
The state is offering those affected a year of credit monitoring services, but one potential problem is that many of the Social Security numbers stolen are those of children. Social Security numbers of children are highly sought after by identity thieves, because they can be used to fly under the radar for a very long time without getting discovered.
Things then got worse this Monday, April 9th, when UDOH announced that instead of just 24,000 files being stolen, it was actually 224,000 files. That translated into an additional 751,000 medical records compromised, bringing the total to over 925,000 potential victims. According to a story in today's Salt Lake Tribune, DTS has determined that 800,000 Utah residents (or one out of six Utah residents) were definitely affected by the breach, including 255,000 whose Social Security numbers are now possessed by hackers. However, because the records are incomplete on the remaining 125,000 or so victims, they cannot be identified (at least for now) or notified that they may be at risk.
Utah's Governor Gary Herbert told the Tribune that DTS is going to do everything in its power to restore both security and trust in its operations. However, that is likely to take some doing, given how the breach occurred and the fact that the records were not encrypted in the first place. Maybe DTS should take some of its own security advice it likes to give to everyone else.
The Utah breach highlights the point made in an IT security report (pdf) that Verizon released last month. Verizon's examination of hundreds of data breaches in 2011 showed that in 97% of the data breaches it examined, hackers used rather simple methods of attack to gain access to their victims' systems.
According to a Verizon security analyst,"the breached companies lacked firewalls, had ports open to the Internet or used default or easy-to-guess passwords."