Utah Department of Health - 2012

Utah Medicaid clients have had their information exposed by a hack of an improperly protected Utah Department of Health computer server.  The breach was discovered when an unusual amount of data was found to be streaming out of the server on April 2. Medicaid clients who had not had their Social Security numbers transitioned into the system had their Social Security numbers exposed.  A majority of the affected individuals had medical claims, dates of birth, addresses, physicians' names, and other forms of medical information exposed, but not Social Security numbers. Two out of three of those who were affected were children.  The cost of working with the credit-reporting company Experian to contain the breach is estimated to be $460,000.UPDATE (04/10/2012): Though the number of affected individuals was originally reported as 181,604 with 25,096 Social Security numbers exposed, Utah Department of Health reported that nearly 280,000 people had their Social Security numbers exposed by the breach.  An additional 500,000 victims did not have their Social Security numbers exposed, but had some form of personal information such as date of birth, name, and address exposed. People who visited a health care provider in the past four months is likely to have been affected by the breach.UPDATE (05/15/2012): The governor of Utah fired the Director of the Department of Technology Services and appointed a new employee, an ombudsman, to shepherd victims through the process of protecting their identities and credit.  Two other members of the technology services department are under review.  The vulnerability that caused the breach was partly, if not fully, due to failure to change a default password. Additionally, data will now be encrypted while it is on Utah servers as well as when it is in transit.UPDATE (07/22/2012): Those who wish to learn more about the Utah Department of Health breach will be able to attend a series of statewide workshops running from July 26 until August 22.  Information on Utah's Data Breach Security Tour can be found here.UPDATE (03/25/2013): The state of legislature of Utah added an second year of free credit monitoring to those who were affected by the breach.  Additionally, a Utah health department official revealed that only 59,500 people had taken advantage of the first year of free credit monitoring service.  Those who did not enroll in 2012 may call 801-538-6923 or email ombudsman@utah.gov to sign up for the 2013-2014 term.