|
Videos
April 10, 2012 By Noelle Knell
A large-scale theft of Social Security numbers, and other personally identifiable information from a server at the Utah Department of Health is being traced to a configuration error at the password authentication level.
The breach, discovered April 2, compromised 280,000 Social Security numbers and 500,000 records that included other personal data, a significantly higher number of records than officials first believed. Personal information that was stolen includes names, addresses, birth dates and some details contained in patient health records.
The likely victims of the breach are Utah residents covered by the children’s health insurance program or Medicaid, who received health-care services in the past four months. Other records were jeopardized when health-care providers checked patient Medicaid status.
According to USA Today, the attack originated from Eastern Europe.
Utah officials explained in a news release that normal security procedures ensure the security of the state’s data, but this particular server was configured incorrectly. “DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again.”
The state is in the process of notifying potential victims, with priority given to those whose Social Security numbers were compromised. Those whose Social Security numbers were stolen will receive free credit record monitoring for one year.
Utah’s Department of Technology Services reports that it is cooperating with law enforcement on a criminal investigation of the data breach. Officials caution potential victims to be aware of scammers who may claim to represent the state regarding this incident and attempt to gather personal information via phone calls or emails.
You may use or reference this story with attribution and a link to
http://www.govtech.com/security/Utah-Health-Data-Breach-Blamed-on-Configuration-Error.html
Collaborative Justice: Transforming Criminal Justice Services Through Unified Collaboration
Cloud-Based Services Accelerate Public Sector Adoption of Video Collaboration
Not sure how this stuff continues to happen? You'd think after Sony's nightmare PSN compromise that IT Directors the world over would tear this stuff apart performing self-scouting to ENSURE/INSURE that all holes are closed and secure with layers.
No one has the money to 'tear this stuff apart' and close all holes. In this case, people are blaming the IT staff and ignoring that there were criminals involved. Only 3% of all vulnerabilities are ever exploited, so management views closing the other 97% as a waste of money. That logic fails because no one knows which 3% will be exploited. The issue I see is much larger. Criminals go after this type of information so they can commit ID fraud. Our instant credit economy and our refusal to use existing solutions has created the most frequently committed crime in the country. When will our government or the private sector deploy a reliable method of authentication so ID fraud will stop? NSTIC is promising but it really just kicks the problem to the private sector, and we are still victims.