An estimated 780,000 people in the state of Utah have been affected by a recent Medicaid data breach, according to the FAQ document published by the Utah Department of Technology Services (DTS) and the Utah Department of Health (UDOH).
The data breach occurred on March 30, 2012 when computer hackers gained access to a Utah Department of Technology Services (DTS) computer server that stores Medicaid and CHIP claims data. Not all victims were Medicaid recipients — some could be patients whose information was sent to the state as part of a “Medicaid Eligibility Inquiry” to determine their Medicaid status.
The initial announcement on April 4 stated that approximately 24,000 claims were accessed during the breach, but as the investigation began, the number of individuals affected grew immensely. As of April 9, Utah DTS and UDOH officials believe that approximately 280,000 victims had their Social Security numbers stolen and approximately 500,000 other victims had less-sensitive personal information stolen. Utah DTS is giving one year of free credit monitoring services to victims who had their SSNs stolen.
Hackers were able to access the data “due to an error on the server at the password authentication level,” according to the FAQ. The FAQ also states that Utah DTS has security processes in place to prevent illegal server access, but the hacked server “was not configured according to normal procedure.”
This raises the question: What good are health care data security procedures if they are not being followed? Perhaps it was simply human error — maybe someone forgot to reset the default password, or checked off an incorrect box when configuring the settings — that left the server vulnerable to being hacked. Can data security procedures be tightened to account for the possibility of human error?
Utah’s DTS says it has “implemented new processes to ensure this type of breach will not happen again” and is taking additional steps “to improve security controls related to the implementation of computer hardware and software, as well as increased network monitoring and intrusion detection capabilities.”
Experts have predicted that health care data breaches will get worse before they get better, due to lax PHI security procedures. Utah’s Medicaid data breach reveals that even with security procedures in place, health care data remains vulnerable.