MORE ABOUT THE DATA BREACH
First and foremost, we at the Utah Department of Health understand how upsetting this data breach is, we apologize for the stress it has caused, and are working diligently to protect the identities of everyone who was affected..
On March 10, 2012, computer hackers illegally gained access to a Utah Department of Technology Services (DTS) computer server that stores Medicaid and CHIP claims data.
The hackers began removing personal information from the server on March 30, on April 2 DTS detected the breach and immediately shut down the server.
By that time, the Social Security numbers of up to 280,000 people, as well as less-sensitive personal information from up to 500,000 others, had been stolen.
What Information Was Stored on the Server?
Information stored on the server may have included Social Security numbers, names, dates of birth, addresses, diagnosis codes, national provider identification numbers, provider taxpayer identification numbers, and medical billing codes.
Personal financial information, such as bank account numbers or credit card numbers, WAS NOT stored on this server and WAS NOT compromised.
Did It Only Affect Medicaid and CHIP Clients?
At first, it appeared that the stolen information belonged to Medicaid and CHIP clients only. However, DTS discovered that other people had been affected.
Healthcare providers often send Medicaid Eligibility Inquiries to the state to find out if certain patients are enrolled in Medicaid or CHIP. The inquiry and some of the patient’s personal info is temporarily stored by the state in order to determine if the patient is enrolled in either Medicaid or CHIP.
In other words, even if you're not on Medicaid or CHIP, but you or your child visited a healthcare provider in Utah prior to the breach, there's a chance your info was stolen.
How Did the Breach Happen?
The hackers were able to bypass the security system due to an inadequate password being placed on the server.
DTS has sophisticated processes in place to secure all of the data on state computer servers, but this particular server hadn't been configured appropriately.
An independent IT audit is currently underway that will assess the state’s data security and data storage procedures. The results of this audit, along with the results of already completed internal audits, will be used to ensure all state data is safe and secure.