Hackers, believed to be from Eastern Europe, recently accessed 24,000 Medicaid claims for Utah patients.
The Utah Department of Technology Services had recently moved the claims to a new server, and hackers were able to circumvent the server's multi-layered security system, according to a Utah Department of Health release. "The affected server has been shut down, and new security measures have since been implemented," the release states.
The technology services department notified the health department April 2 that the data breach occurred March 30.
The health department is conducting an investigation to determine how many Medicaid clients may have been affected and what personal information may have been compromised. Although it has not yet confirmed what information was compromised, the health department acknowledges that claims typically include client names, addresses, birth dates, Social Security numbers, physician's names, national provider identifiers, tax identification numbers and procedure codes designed for billing purposes.
The health department will notify affected Medicaid clients by mail. Those whose Social Security numbers were compromised will receive free credit monitoring services.
The technology services department is reviewing all state servers to ensure that proper security measures are implemented. The health department is reviewing its security policies and procedures as well.
Hacking incidents are relatively rare in U.S. healthcare. Since the HIPAA breach notification rule went into effect in September 2009, only about 7 percent of the major breaches reported have involved hacking, says Leon Rodriguez, director of the Department of Health and Human Services' Office for Civil Rights.