A large-scale theft of Social Security numbers, and other personally identifiable information from a server at the Utah Department of Health is being traced to a configuration error at the password authentication level.
The breach, discovered April 2, compromised 280,000 Social Security numbers and 500,000 records that included other personal data, a significantly higher number of records than officials first believed. Personal information that was stolen includes names, addresses, birth dates and some details contained in patient health records.
The likely victims of the breach are Utah residents covered by the children’s health insurance program or Medicaid, who received health-care services in the past four months. Other records were jeopardized when health-care providers checked patient Medicaid status.
According to USA Today, the attack originated from Eastern Europe.
Utah officials explained in a news release that normal security procedures ensure the security of the state’s data, but this particular server was configured incorrectly. “DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again.”
The state is in the process of notifying potential victims, with priority given to those whose Social Security numbers were compromised. Those whose Social Security numbers were stolen will receive free credit record monitoring for one year.
Utah’s Department of Technology Services reports that it is cooperating with law enforcement on a criminal investigation of the data breach. Officials caution potential victims to be aware of scammers who may claim to represent the state regarding this incident and attempt to gather personal information via phone calls or emails.