State officials in Utah on April 9 again revised upward the number of individuals affected by a March 30 healthcare information hacking incident. They now estimate that as many as 780,000 patients were affected by the data breach. Of those, 280,000 had Social Security numbers exposed, according to a statement.
All those affected are being notified of the breach, which authorities believe involved East European hackers accessing a state server. Those whose Social Security numbers were exposed will receive one year of free credit monitoring services.
Earlier, the Utah Department of Health reported that Medicaid clients and Children's Health Insurance Plan recipients had their claims data compromised (see: Utah Health Breach Impact Grows). As a result of their continuing investigation, however, the department now reports that other patients affected include those whose information was sent to the state by their healthcare provider to determine if they were eligible for Medicaid.
In general, the victims are likely to be patients who have visited a healthcare provider in the past four months, officials say.
Largest Hacking Incident?
If the numbers prove accurate, the Utah breach is the largest healthcare hacking incident reported since the HIPAA breach notification rule went into effect in September 2009. Only about 7 percent of the more than 400 major breaches reported have involved hacking, Leon Rodriguez, director of the Department of Health and Human Services' Office for Civil Rights, said in a recent presentation.
Before the Utah incident, the largest breach involving hacking was at Seacoast Radiology in Rochester, N.H., which notified 230,000 patients in January 2011 that their information had been exposed to hackers using a server to gain bandwidth to play a video game.
In the Utah incident, the compromised information was on a server managed by the state's Department of Technology Services. "In this particular incident, a configuration error occurred at the password authentication level, allowing the hacker to circumvent the security system," according to an April 6 Utah Department of Health statement. "The Department of Technology Services has processes in place to ensure the state's data is secure, but this particular server was not configured according to normal procedure."
Officials have identified where the security breakdown occurred and have "implemented new processes to ensure this type of breach will not happen again," according to the April 6 statement. "Additional steps are being implemented to improve security controls related to the implementation of computer hardware and software, as well as increased network monitoring and intrusion detection capabilities."
Exposed information contained in claims may include client names, addresses, birth dates, Social Security numbers, physician's names, national provider identifiers, tax identification numbers and procedure codes designed for billing purposes, authorities say. The content of Medicaid eligibility transactions varies widely, but could include a mix of the same information as in claims, they add.
The Department of Technology Services is cooperating with local law enforcement, as well as the FBI, on a criminal investigation.