Security Magazine

750K More Victims in Utah Health Department Breach

April 10, 2012

An additional 750,000 people had personal information from the Utah Department of Health downloaded by hackers last week, which puts the total victim count at nearly 900,000 people, according to a report from The Associated Press

Yesterday, the number was closer to 182,000 victims, but the original estimate was 24,000. The hackers, working from a computer tracked to Eastern Europe, began stealing files from a single unprotected server containing information on Medicaid recipients on March 30. And although the state has multiple layers of security on each of their nearly 500 servers, a technician recently installed this one with a password that wasn't as secure as needed, says AP.

Officials discovered later yesterday that the thieves actually downloaded thousands more files of data than initially believed, now numbering at about 224,000 files — 200,000 more than estimated Monday morning. Some files contained Social Security numbers, names, addresses and other personal information needed to verify Medicaid coverage.

Victims are being offered free credit monitoring services for a year, and the state is working with the credit bureau TransUnion to register any child's Social Security number to essentially freeze their credit until they are old enough to need it, AP reports. Many of the victims were children from low-income families, who qualified for a special health care program through the state.

The state has checked other servers and has not discovered any other breaches, and officials say that the number of victims is unlikely to increase again.