Utah Gets a Cybersecurity Rude Awakening: 181,000 Medical Records Hacked


With cybersecurity the way that it is, data breaches are constantly rolling news and when it comes to cultures such as Anonymous and hactivist groups like LulzSec it was the amount of data taken or the number of lives touched that made the appeal. That’s why, when a data breach in Utah exposed health claims connected to potentially more than 25,096 individuals, it makes big news.

The Utah Department of Technology Services and the Utah Department of Health revealed Friday that they’d suffered an attack from apparent Eastern European hackers who accessed and pilfered the personal information from 181,604 Medicaid and CHIP (Children’s Health Insurance Plan) records. Wednesday, the UDOH claimed the breach was limited to only about 24,000 claims; but further investigation revealed that it was 24,000 files removed with at least one file containing information on hundreds of individuals.

“We understand clients are worried about who may have accessed their personal information, and that many of them feel violated by having their information compromised,” said Michael Hales, deputy director of the Health Department. “But we also hope they understand we are doing everything we can to protect them from further harm.”

Claims typically could include client names, addresses, birth dates, Social Security numbers, physician’s names, national provider identifiers, addresses, tax identification numbers, and procedure codes designed for billing purposes, the UDOH said Wednesday.

According to sources regarding the event, what would have been a multifactor authentication to access the server—which is now shut down pending investigation and fixing the breach—was circumvented by the hackers via a configuration error.

States need to start treating proprietary citizen information with encrypted care

According to an article on ModernHealthCare.com published last week about the breach the data in question was not encrypted.

This is a gigantic problem, especially looking at the type of information stored and the confidential and personal value of the data. Worse, because this data is stored in a high enough density and in one place, all it takes is one person to circumvent (or simply gain access to the storage) to take all of it away. That the State of Utah government doesn’t have a proprietary encryption policy shows that they haven’t thought thoroughly about the cybersecurity of their citizens’ personal information.

We’ve seen this problem with nations that lack cybersecurity policies to protect them attackers—such as how the Caribbean is feeling the burn of lax security protocols on their own Internet business and government infrastructure. It’s not just Anonymous vandalizing websites or LulzSec stealing from Sheriff’s e-mail correspondence that makes this a problem; there’s also automated Trojans and malware that could eschew human involvement to reach in and take this information. We could just imagine Kelhios v3 stealing unencrypted Medicaid records in an unguarded server moment.

Medical information is particularly low-hanging fruit for criminals and since it’s tightly connected to identity theft and medical fraud (even Medicaid fraud) it needs to be treated as a valuable and targetable commodity.

If this data were encrypted and the authentication failed at least the hackers would have only gotten an encrypted file, potentially discouraging them from attempting to steal it or ideally making it too expensive for them to break it open.

Keeping sensitive files encrypted won’t protect institutions from getting breached; but it’s still the best practice we have to help limit the scope and damage of that breach. Why more state departments—especially those who deal in extremely sensitive information like the medical profession—haven’t gotten on the ball and started this a as a matter of course shows that the nation really needs to wake up about security.