Monday, April 9, 2012

Data Breach Expands to Include More Victims

(Salt Lake City, UT) – The Utah Department of Technology Services (DTS), along with the Utah Department of Health (UDOH) today announced up to 255,000 additional people had their Social Security numbers listed in data stolen by thieves from a computer server last week. These latest victims are people whose information was sent to the state by their health care provider in a transaction called a Medicaid Eligibility Inquiry to determine their status as possible Medicaid recipients.
The victims are likely to be people who have visited a health care provider in the past four months. Some may be Medicaid or CHIP recipients; others are individuals whose health care providers were unsure as to their status as Medicaid recipients.
DTS has started the process of identifying these additional victims, and the state will be sending letters directly to them as they are identified. Some of the 255,000 Social Security numbers were not accompanied by any other indentifying information (such as names and addresses), so DTS will likely need to coordinate with other agencies to identify and notify these individuals.
Victims who had their SSNs stolen will receive one year of free credit monitoring services. There are additional steps anybody can take to help protect their identity and their financial information. This includes placing either a freeze or a fraud alert on their personal credit file with the nation’s three credit bureaus. For information on how to do this, visit
As many as 350,000 additional people may have had other, less-sensitive information, such as their names, birth dates, and addresses accessed through eligibility inquiries. These people will also receive a letter alerting them to the situation. However, priority will be placed on alerting those who had their Social Security numbers stolen first.
It is now believed that a total of approximately 280,000 victims had their Social Security numbers stolen and approximately 500,000 other victims had less-sensitive personal information stolen.
Possible victims should be aware that nobody from DTS or UDOH will be contacting them and asking for personal information over the phone or via e-email regarding this incident. Scammers may attempt to reach victims in this manner. We strongly recommend that people do not provide private information in response to telephone or e-mail contacts they have not initiated.
The data breach initially occurred on Friday, March 30. A configuration error occurred at the password authentication level, allowing the hacker to circumvent DTS’s security system. DTS has processes in place to ensure the state’s data is secure, but this particular server was not configured according to normal procedure. DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again.
DTS is cooperating with local law enforcement, as well as the FBI, on a criminal investigation.
Medicaid clients can call 1-855-238-3339 to find out if their information was compromised during the attack. Additional information can also be found online at
# # #

Media Contacts:
Tom Hudachko
UDOH Public Information Officer
801-538-6232 / 801-560-4649

Stephanie Weiss
DTS Public Information Officer