Utah Medicaid Data Breach Far Worse Than Originally Reported
A huge proportion of the state’s Medicaid clients — two-thirds of them children — are victims of hackers who broke into an inadequately protected computer server at the Utah Department of Health, officials said Friday.
The cyber invasion started a week ago, with most of the data stolen from 181,604 Medicaid and Children’s Health Insurance Program recipients between Sunday night and Monday morning. Of those clients, 25,096 appear to have had their Social Security numbers compromised.
Earlier this week, officials said the hackers appear to have operated from Eastern Europe. On Friday, Michael Hales, the Health Department’s Medicaid director, emphasized there was no evidence of an inside job, as happened in 2010 when two Department of Workforce Services employees accessed confidential documents to create a list of 1,300 alleged illegal immigrants that was leaked to law enforcement and the news media.
“This is some external party maliciously attacking a server,” Hales said. “It just looks like processes broke down.”
While the breach was traced to an Eastern European location, investigators don’t know if that is where the hacking originated.
The breach was initially reported Wednesday as involving 24,000 claims. As the investigation progressed, officials said 24,000 files had been stolen, which meant the number of people affected would be far higher. Hospitals, clinics and providers batch multiple claims into files for submission to the Health Department. A single file can contain claims information on hundreds of individuals.
The state’s computer systems are the responsibility of the Department of Technology Services. On Thursday, Boyd Webb, the agency’s chief information security officer, said he knew who was responsible for putting the server online without its proper security but wouldn’t give a name. “I believe it was just a mistake,” he said.
The state manages 260,000 Medicaid clients and 40,000 in CHIP. About two out of three Medicaid recipients are children.
Technology Services computer servers have multi-layered security systems that include many controls. Utah Department of Health spokesman Tom Hudachko said that in this particular incident, a configuration error occurred at the level where passwords are entered, allowing the hacker to invade the security system. Technology Services has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure.
Technology Services detected an “unusual volume [of data] streaming out of the server” on Monday morning, Hales said.