Hacker steals data on 780,000 Utahns from state computer
By Michael Winter
April 9, 2012
A computer hacker stole Social Security numbers for 280,000 Utahns and swiped names, addresses and birth dates for 500,000 others, state officials said today.
Officials announced the dramatically higher estimates at a news conference, the Salt Lake Tribune reports. Utahns covered by Medicaid or the Children’s Health Insurance Program (CHIP) who sought health care in the past four months are the most likely victims of the identify theft, officials said.
They first believed that the data theft, which occurred late April 1, involved only 24,000 Medicaid payment claims or eligibility inquiries. That estimate grew to more than 182,000 and included people covered by CHIP, among others.
A hacker traced to Eastern Europe first accessed a weakly protected computer server at the Utah Department of Health on March 30. The thief downloaded about 224,000 files, some of which contained hundreds of records, said health department spokesman Tom Huduchko, the Associated Press says. The breach was discovered April 2.
In a statement, the Department of Technology Services explained that a “configuration error occurred at the password authentication level, allowing the hacker to circumvent DTS’s security system.”
The stolen Social Security numbers did not include other personal information, he said. But the files had other data for 500,000 additional individuals.
The DTS noted in an FAQ (pdf) that claims payment and eligibility inquiries “contain sensitive, personal health information from individuals and health care providers. Such information could include Social Security numbers, names, dates of birth, addresses, diagnosis codes, national provider identification numbers, provider taxpayer identification numbers, and billing codes.”
The revised figure means that roughly one in four Utahns may have had their individual information compromised.
State officials will be contacting affected residents. Those whose Social Security numbers were stolen will receive a year of free credit-record monitoring. The news release has more information.