Utah's Medicaid hack estimate has grown a second time. This time we have gone from over 180,000 Medicaid and Children's Health Insurance Plan (CHIP) recipients having their personal information stolen to a grand total of 780,000 affected. More specifically, the state now says approximately 500,000 victims had sensitive personal information stolen and 280,000 victims had their Social Security numbers (SSNs) compromised.

You may be a victim if: a) your information was sent to the state by your health care provider in a transaction called a Medicaid Eligibility Inquiry to determine your status as possible Medicaid recipients or b) you have visited a health care provider in the past four months. You should contact your health care provider especially if you are a Medicaid or CHIP recipient, but also if you are not, since the state believes individuals whose health care providers are unsure as to their status as Medicaid recipients could be victims.

All Medicaid clients are being advised to monitor their credit and bank accounts. If you think you may be a victim, place either a freeze or a fraud alert on your personal credit file with the nation's three credit bureaus, to help protect your identity and your financial information. More details are available at this webpage: Utah's Identity Theft Solution.

Last but not least, do not provide any information to telephone or e-mail contacts who claim to be from the state. Scammers may attempt to reach victims and you should not believe anyone who contacts you asking for personal details.

This all started on April 2, when the Utah Department of Technology Services (DTS) notified the Utah Department of Health (UDOH) the server that houses Medicaid claims was hacked. On April 4, the UDOH publicly announced the breach, quoting the DTS which said information was accessed from approximately 24,000 claims.

Unfortunately, it turned out the hackers had made off with 24,000 files, and one single file can potentially contain claims information on hundreds of individuals. This is why on April 6, the DTS confirmed the number of Medicaid clients affected was actually 181,604. Of those, 25,096 appear had their Social Security numbers (SSNs) compromised. Now on April 9 (today), DTS updated the total to 780,000 victims, with some having just their personal information stolen, some having just their SSNs compromised, and the rest having both pilfered.

I think it's worth noting that last time, DTS gave exact numbers for total people affected and the subset of those whose SSNs were stolen (I truncated the numbers for the title). This time, both numbers are separate, and have been either rounded or truncated. This would suggest that the 780,000 total is just an estimate: the real number could be much lower or much higher.

Claims stored on servers like the one that experienced the breach can include client names, addresses, birth dates, SSNs, physician's names, national provider identifiers, addresses, tax identification numbers, and procedure codes designed for billing purposes.

The additional victims are being identified now: some of the SSNs were not accompanied by any other identifying information (such as names and addresses), so DTS will be coordinating with other agencies to identify and notify these individuals. The UDOH will be reaching out to clients whose personal information was taken during the attack, with priority being placed on those clients whose SSNs were compromised – the latter group will receive free credit monitoring services for one year.

DTS had recently moved the claims records to a new server, which had a configuration error at the password authentication level, allowing hackers to circumvent the security system. DTS says it shut down the affected server, implemented new security measures, is reviewing every server in the state to ensure proper security measures are in place, identified where the breakdown occurred, and has implemented new processes to ensure this type of breach will not happen again.

Furthermore, the agency is cooperating with law enforcement, including the FBI, in a criminal investigation. The hackers, who are believed to be located in Eastern Europe, breached the server in question on March 30, 2012.

See also: