(LiveHacking.Com) – A security breach on a Utah Department of Technology Services (UDTS) server, which was being used by the Utah Department of Health (UDOH) to store Medicaid claims data, has allowed cyber criminals to steal over 280,000 personal records which included Social Security numbers and approximately 500,000 other personal records with less-sensitive personal information (like name, date of birth, and address). The victims are most likely to be those who have visited a health care provider in the past four months. As a result of the breach the UDOH is offering free credit monitoring services for one year for all those affected.
In a lesson in the difference between policy and implementation, the UDTS admitted that it has processes in place to ensure the state’s data is secured, but this particular server, which had a configuration error that allowed the hackers to circumvent security, was not configured according to normal procedure. And almost as if taken from a template of things to say when your servers are breached, the UDTS said it has identified where the breakdown occurred and has implemented new processes to ensure it will not happen again!
“We understand clients are worried about who may have accessed their personal information, and that many of them feel violated by having their information compromised,” said UDOH Deputy Director Michael Hales. “But we also hope they understand we are doing everything we can to protect them from further harm.”
Possible victims should be aware that nobody from DTS or UDOH will be contacting them and asking for personal information over the phone or via e-email regarding this incident.
The data breach initially occurred on Friday, March 30 and the hacker is believed to be from Eastern Europe. DTS is cooperating with local law enforcement, as well as the FBI, on a criminal investigation.
Medicaid clients can call 1-800-662-9651 to find out if their information was compromised during the attack. Additional information can also be found online at www.health.utah.gov/databreach.