Skip to content

Medicaid Data Breach

April 11, 2012

I am horrified at what has happened at Utah’s Department of Health.  Here is what you need to know:

Q: What happened?

A: On Friday, March 30, 2012 computer hackers illegally gained access to a Utah Department of Technology Services (DTS) computer server that stores Medicaid and CHIP claims data.  The thieves began removing data from the server late on the night of Sunday, April 1.  DTS detected the security breach on Monday, April 2 and immediately shut down the server.  As its investigation proceeded, DTS discovered data from eligibility inquiries (inquiries sent from health care providers to determine if patients are enrolled in Medicaid) was also stored on the server.  This additional data included information from individuals who may not be Medicaid or CHIP clients.

The breach occurred due to an error on the server at the password authentication level, allowing the hacker to circumvent the security system. DTS has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure.

Q: What kind of information was on the server?

A: Claims payment and eligibility inquiries contain sensitive, personal health information from individuals and health care providers.  Such information could include Social Security numbers, names, dates of birth, addresses, diagnosis codes, national provider identification numbers, provider taxpayer identification numbers, and billing codes.

Q: Who had their information stored on the server?

A: Medicaid and CHIP recipients had information stored on the server. Other potential victims include people whose information was sent to the state by their provider in a transaction called a Medicaid Eligibility Inquiry determine their status as possible Medicaid recipients.  These victims are likely to be people who have visited a health care provider in the past four months.  Some may be Medicaid or CHIP recipients; others are individuals whose health care providers were unsure as to their status as Medicaid recipients.

Q: How many victims are there?

A: The most sensitive information stored on the server was individual’s Social Security numbers (SSNs).  Approximately 25,096 Medicaid and CHIP clients had their SSNs stolen off the server.

An additional 255,000 other individuals who may not be Medicaid and CHIP clients also had their SSNs stolen. These individuals are people who likely visited a health care provider in the past four months and had their information sent to the state by their provider to inquire about their status as a Medicaid recipient.

Other less sensitive information, such as names, dates of birth, and addresses was also store on the server. As many as 500,000 individuals may have had this type of information compromised.

Q: Was any of my personal information on the server, and how will I know if it was stolen?

A: If you are a victim in this case, you will be receiving a letter from the Utah Department of Health (UDOH).  UDOH has already begun sending letters to all 25,096 Medicaid and CHIP clients who had their SSNs stolen.  These letters will include information on how to take advantage of free credit monitoring services for one year.

DTS is in the process of identifying the other 255,000 victims who’s SSNs were stolen and UDOH will also be sending letters to them in as they are identified.  These individuals are people who likely visited a health care provider in the past four months and had their information sent to the state by their provider to inquire about their status as a Medicaid recipient.

Anyone who had other, less-sensitive personal information stolen will also receive letters.

Possible victims should be aware that nobody from DTS or UDOH will be contacting them and asking for information over the phone or via e-email regarding this incident.  Scammers may attempt to reach victims in this manner.  Do not provide private information in response to telephone or e-mail contacts you have not initiated.

Q: Is my personal information at risk?

A: Based on the format in which the data is stored on DTS servers, it is likely that any personal information stolen during the attack could be used for fraudulent purposes.  Using your personal information in this manner is a federal crime, and the FBI is investigating this incident as criminal act.  If your information has been stolen, or if you feel it may have been, it’s important for you take steps to protect yourself.

Q: What can I do to protect myself from identity theft?

A: If your Social Security number was stolen, you will receive a letter with instructions on how to receive one year of free credit monitoring services from Experian, a global leader in the credit monitoring field. This service includes daily credit monitoring, alerts of key changes to credit files, and identity theft insurance.  Please activate this service!

There are a number of other steps you can take to protect yourself from identity theft, including freezing your credit and placing a fraud alert on your personal credit file.  You must initiate these activities on your own with each of the nation’s three credit bureaus.  For information on how to do this, visit http://idtheft.utah.gov.

Q: How likely is it that the information was stolen for identity theft?

A: DTS is cooperating in a criminal investigation with the FBI and Utah Department of Public Safety. At this point, there have been no reports of identity theft related specifically to this incident.  However, given the sensitive nature of the stolen data, and information law enforcement has been able to compile about the thieves, including their potential whereabouts and their high level of sophistication, it is likely the motive for the breach is to use the stolen information in a fraudulent manner.

Q: How is information stored and how were the hackers able to access it?

A: DTS servers have multi-layered security systems that include many controls, including: perimeter security, network security, identity management, application security, and data security. In this particular incident, a configuration error occurred at the password authentication level, allowing the hacker to circumvent the security system. DTS has processes in place to ensure the state’s data is secured, but this particular server was not configured according to normal procedure.

Q: What is being done to ensure other information is secure?

A: DTS has identified where the breakdown in security occurred and has implemented new processes to ensure this type of breach will not happen again. Additional steps are being implemented to improve security controls related to the implementation of computer hardware and software, as well as increased network monitoring and intrusion detection capabilities.

Q: What are DTS and UDOH doing to address this problem?

  • Sending each victim a letter of notification.
  • Providing free credit monitoring services for victims whose Social Security numbers were compromised.
  • Hosted a news conference Wednesday, April 4, and issued follow-up news releases or hosted follow-up news conferences on Friday, April 6 and Monday, April 9 as part of a broad-based effort to inform the public about the recent theft.
  • Set up a Web site (http://www.health.utah.gov/databreach), which provides more detailed information about the incident and the resources we’ve dedicated to helping you.
  • In addition, Medicaid and CHIP clients can call 1-800-662-9651 to find out if their information was compromised

Q: If people have additional questions regarding this issue, what should they do?

A: Please visit http://www.health.utah.gov/databreach, which is the principal source for information about the incident.

Advertisements

From → 2012 Interim

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: