A cyber attack on a Utah Department of Technology Services (DTS) computer server that stores Medicaid claims data now appears to have affected far more recipients than originally believed. In addition to Medicaid clients, the breach also involved information from Children's Health Insurance Plan (CHIP) recipients.
As part of its on-going investigation into the attack, DTS today reported to the Utah Department of Health (UDOH) that approximately 181,604 Medicaid and CHIP recipients had their personal information removed from the server. Of those individuals, 25,096 appear to have had their Social Security numbers compromised.
The UDOH will immediately begin reaching out to clients whose personal information was stolen during the attack, with priority being placed on those clients whose Social Security numbers were jeopardized. Those clients will receive a letter in the mail instructing them on how to take advantage of free credit monitoring services for one year.
Once those clients have been notified, all other affected clients will receive letters with information on how to further protect themselves. Additionally, clients who have signed up for a My Case account (a web portal clients can use to access their accounts) had information on the breach posted to their accounts along with an e-mail notification.
"We understand clients are worried about who may have accessed their personal information, and that many of them feel violated by having their information compromised," said UDOH Deputy Director Michael Hales. "But we also hope they understand we are doing everything we can to protect them from further harm."
Initially, it appeared as though the hackers who broke into the server were able to remove 24,000 claims. However, as the investigation progressed, DTS determined the thieves actually removed 24,000 files. One single file can potentially contain claims information on hundreds of individuals.
DTS servers have multi-layered security systems that include many controls, including: perimeter security, network security, identity management, application security, and data security. In this particular incident, a configuration error occurred at the authentication level, allowing the hacker to circumvent the security system. DTS has processes in place to ensure the state's data is secured, but this particular server was not configured according to normal procedure.
DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again. Additional steps are being implemented to improve security controls related to the implementation of computer hardware and software, as well as increased network monitoring and intrusion detection capabilities.
The investigation into the breach of the server is ongoing, and the two agencies will continue to update the public with any further developments.
Concerned Medicaid clients are still encouraged to call 1-800-662-9651 to get more information on how to protect themselves and their identities.
Consumers can freeze their credit lines by contacting the nation's three credit bureaus. By freezing your credit, anytime you apply for a mortgage, car loan, credit card, department store account, or any other type of credit, you will have to confirm your identity and unlock your credit report.
The Federal Fair and Accurate Credit Transactions Act of 2003 (FACT Act) also allows you to get one free copy of your credit file every 12 months from each of the nationwide credit reporting agencies.