Utah Medicaid Data Breach Could Affect at Least 24,000 Individuals


On Wednesday, the Utah Department of Health announced a data breach involving about 24,000 Medicaid claims that was caused by Internet hackers, the Salt Lake City Deseret News reports (Lee, Salt Lake City Deseret News, 4/4).

The breach initially seemed to have affected claims representing at least 9% of Utah's 260,000 Medicaid beneficiaries. However, officials said the full extent of the breach likely is wider because claims often contain data on more than one individual (Nelson, Reuters, 4/4).

Breach Details

UDOH said the breach occurred March 30 as Utah Department of Technology Services technicians were exchanging computer servers (Salt Lake City Deseret News, 4/4).

Stephen Fletcher -- executive director of UDTS -- said it appears that "very sophisticated" hackers used passwords to access a server, but officials are uncertain about how the hackers bypassed security.

Michael Hales -- Medicaid director for UDOH -- said the state's computer servers normally are protected with several security measures. However, the measures were not in place for the breached server (Henetz, Salt Lake Tribune, 4/4).

Types of Data Breached

According to the Deseret News, beneficiary data stored on servers like the one breached could include:

  • Names;
  • Birth dates;
  • Addresses; and
  • Social Security numbers.

Health care provider data on such servers could include:

  • Names;
  • National provider identifiers;
  • Addresses;
  • Tax identification numbers; and
  • Procedure codes for billing purposes.

State Response

UDOH spokesperson Tom Hudachko said the affected server has been shut down. State officials are investigating why the server did not have appropriate security, according to the Deseret News (Salt Lake City Deseret News, 4/4).

Officials also said they are examining all state servers and reviewing policies to ensure that effective security measures are in place (Reuters, 4/4).

UDOH plans to mail letters to individuals whose records were compromised once the agency determines who was affected by the breach. In addition, those affected will receive no-cost credit-monitoring services, according to Hudachko (Salt Lake Tribune, 4/4).

to share your thoughts on this article.