Utah Health Care Data Breach Exposed About 780,000 Patient Files

A weak password is to blame for the hacking of a Utah Department of Technology Services server containing patients' Social Security numbers and data on children's health plans.

You've heard it before, but a weak password was once again the cause of a data breach. On March 30 a hacker from Eastern Europe illegally accessed a Utah Department of Technology Services (DTS) server containing Social Security numbers for the Medicaid claims.

DTS provides technology services to Utah state agencies.

The breach involved both Medicaid patients as well as recipients of Children's Health Insurance Plan, which provides insurance coverage for children without other health insurance and who meet income guidelines.

The Utah Department of Health initially believed that 24,000 claims had been accessed, but that number is now about 780,000, according to UDOH. The department then reported that 280,000 people had their Social Security numbers stolen and about 500,000 others had less-sensitive personal data, such as name, date of birth and address, compromised.

DTS discovered the breach April 2 and reported it to the public April 4. Following the breach, Utah Governor Gary R. Herbert requested an audit of all procedures for state security and data storage. He also called for an "all hands on deck, around the clock" effort to identify and notify all victims of the breach. Outside firms hired by the UDOH and the Utah Department of Administrative Services (DAS) will conduct a forensic analysis to identify victims.

"Individuals provide sensitive personal information to the government in a relationship of trust," Herbert said in a statement. "It is tragic that not only data was breached, but now individual trust is also compromised."

These servers also typically store names of physicians, national provider identifiers, addresses, tax identification numbers and procedure codes for billing, according to UDOH.

Victims had sent claims to the state as part of a Medicaid eligibility inquiry, UDOH reported.

UDOH has set up the hotline 855-238-3339 and a Website for the latest information on the breach. The Utah state government is offering one year of credit-monitoring services to patients who had their Social Security numbers compromised.

Meanwhile, the FBI and local Utah law enforcement have launched investigations into the breach.

DTS reports that its servers are multilayered with security controls for perimeter, network, application, data security and identity management.

In this case, the affected server suffered a configuration error at the authentication level, according to DTS. "The breach occurred on a server that was put into production without the proper procedure due to an error," Stephanie Weiss, a spokesperson for DTS, wrote in an email to eWEEK.

"DTS continually reviews all processes and tools to ensure best practices," said Weiss. "All servers in the state are required to have secure passwords."

Despite these requirements, passwords in general are rarely changed for "privileged" accounts, according to Adam Bosnian, executive vice president, Americas and corporate development at Cyber-Ark Software, an identity-management vendor.

In fact, passwords on consumer services such as Facebook are more secure than those on shared accounts, Bosnian suggested.

"Despite controlling access to an organization's sensitive data assets, these shared accounts simply do not have the same security standards applied to them," said Bosnian. "The result is that an attacker can easily gain access to these entry points and go undetected for some time if they choose."

He compared the Utah medical records breach to one involving Global Payments and 1.5 million Visa and MasterCard accounts.

"Because these types of privileged accounts can act as a gateway to an organization's most sensitive data and information assets, they've emerged as the primary target for hackers," said Bosnian.

The department has taken steps to improve implementation of computer hardware and software, as well as ramping up network-monitoring and intrusion-detection capabilities, DTS reported.

"At some point, businesses across industries need to wake up and understand that privileged accounts and passwords are the No. 1 target for attackers," said Bosnian. "Controlling these access points needs to be a priority."

Following the incident, DTS is checking the security measures of all servers in the state, the DOH reported.

"DTS is doing everything they can to restore security," Governor Herbert said. "Now, we must do everything we can to restore trust."