SALT LAKE CITY (Reuters) - A data security breach at the Utah Health Department, believed to be the work of Eastern European hackers, has exposed 24,000 U.S. Medicaid files bearing names, Social Security numbers and other private information, state officials said on Wednesday.
The intrusion initially appeared to have affected claims representing at least 9 percent of the 260,000 clients of Medicaid in Utah. But because each file often contains information on more than one individual, the full extent of the breach is probably wider, officials said.
Medicaid is a federal-state program that helps pay for healthcare for the needy, the aged and disabled. The state determines eligibility and which services are covered, and the federal government reimburses a percentage of the state’s expenditures.
“At this point, efforts are focused on determining the number and identity of individual clients who may have had their information compromised during the breach,” the state Health and Technology Services departments said in a joint statement.
Investigators determined that the breach occurred last Friday, and “late Sunday someone started taking information off the server”, Health Department spokesman Tom Hudachko told Reuters.
Hudachko said the Technology Services Department notified state health officials Monday evening about the cyber attack.
Technology Services had recently moved the claims in question to a new server, allowing the hackers “to circumvent the server’s multi-layered security system,” according to officials.
“This attack, as much as we have been able to tell so far, was limited to this one particular server,” Hudachko said.
He said the cyber attack is believed to have originated in Eastern Europe, based on a suspicious Internet Protocol, or IP, address, but investigators are still trying to pinpoint the precise source.
“There are a couple of countries that they have been able to narrow it down to,” he said.
Utah state Senator Allen Christensen, who also is a practicing dentist, said each compromised claim is going to have two parties involved - both the recipient and the provider.
“I submit Medicaid claims myself. I‘m probably included in that bunch,” he said. “There is a significant amount of information on there including my Social Security number and my employer identification number, my address and all the rest of the stuff.”
Christensen, chairman for the Utah State Health and Human Services Committee, expressed grave concerns over the impact on the Medicaid population in Utah and suggested the database was left vulnerable by human error.
“The security steps that normally should have been taken were not taken, and somebody simply failed to push a correct button, and that left it open so someone could hack into it,” he said.
State officials said they were examining all servers and reviewing policies and procedures to ensure effective security measures are in place.
“Obviously we will be most concerned with individuals who had their Social Security numbers compromised,” Hudachko said. The compromised files also contain individuals’ names, addresses and other private information.
State Health officials are urging all their Medicaid clients and providers to keep a wary eye on their bank accounts and other personal records. Customers whose Social Security numbers are found to have been compromised will receive free credit monitoring services, officials said.
Editing by Steve Gorman and Paul Simao