On Friday, Utah Department of Health officials said that a recent data breach involved information on 181,604 Medicaid and Children's Health Insurance Program beneficiaries, more than the agency initially reported, the Salt Lake Tribune reports (Henetz, Salt Lake Tribune, 4/6).
Last week, UDOH announced that a data breach occurred on March 30 as Utah Department of Technology Services technicians were exchanging computer servers.
Initially, the agency reported that the breach involved about 24,000 Medicaid files.
Stephen Fletcher -- executive director of UDTS -- said it appeared that "very sophisticated" hackers used passwords to access a server, but officials are uncertain about how the hackers bypassed security.
Michael Hales -- deputy director and Medicaid director for UDOH -- said the state's computer servers normally are protected with several security measures. However, the measures were not in place for the breached server.
Beneficiary data stored on servers like the one breached could include:
- Birth dates;
- Addresses; and
- Social Security numbers.
Health care provider data on such servers could include:
- National provider identifiers;
- Tax identification numbers; and
- Procedure codes for billing purposes (iHealthBeat, 4/5).
UDOH officials said on Friday that although 24,000 files were stolen, each file potentially contains data on hundreds of beneficiaries (AP/Bloomberg Businessweek, 4/6).
Officials said that at least 25,096 beneficiaries "appear to have had their Social Security numbers compromised."
Hales in statement said, "We understand clients are worried about who may have accessed their personal information, and that many of them feel violated by having their information compromised." He added, "But we also hope they understand we are doing everything we can to protect them from further harm" (Conn, Modern Healthcare, 4/6).
Last week, UDOH spokesperson Tom Hudachko said the affected server has been shut down. Officials also said they are examining all state servers and reviewing policies to ensure that effective security measures are in place.
UDOH plans to mail letters to individuals whose records were compromised. In addition, those affected will receive no-cost credit monitoring services, according to Hudachko (iHealthBeat, 4/5).