State officials in Utah now say nearly 182,000 Medicaid clients and Children's Health Insurance Plan recipients had their claims data compromised in a recent hacking incident that they originally believed affected only about 24,000 Medicaid claims.
Authorities say that about 25,000 individuals' Social Security numbers were exposed in the data breach, which is believed to involve Eastern European hackers. Those victims will be offered a year's worth of free credit monitoring services.
"Initially, it appeared as though the hackers who broke into the server were able to remove 24,000 claims," according to a statement from the Utah Department of Health. "However, as the investigation progressed, the Utah Department of Technology Services determined the thieves actually removed 24,000 files. One single file can potentially contain claims information on hundreds of individuals."
Hacking incidents are relatively rare in healthcare. Since the HIPAA breach notification rule went into effect in September 2009, only about 7 percent of the more than 400 major breaches reported have involved hacking, Leon Rodriguez, director of the Department of Health and Human Services' Office for Civil Rights, said in a recent presentation.
In what appears to be the largest healthcare hacking incident reported under the breach notification rule, Seacoast Radiology in Rochester, N.H., notified 230,000 patients in January 2011 that their information had been exposed to hackers using a server to gain bandwidth to play a video game.
Hacking Incident Details
In the Utah incident, the compromised information was on a state server managed by the technology services department. "In this particular incident, a configuration error occurred at the authentication level, allowing the hacker to circumvent the security system," according to the Utah Department of Health's statement. "The Department of Technology Services has processes in place to ensure the state's data is secure, but this particular server was not configured according to normal procedure."
Officials have identified where the security breakdown occurred and have "implemented new processes to ensure this type of breach will not happen again," according to the statement. "Additional steps are being implemented to improve security controls related to the implementation of computer hardware and software, as well as increased network monitoring and intrusion detection capabilities."
In an earlier statement, authorities said the technology services department notified the health department April 2 that the data breach occurred March 30. That statement noted that claims may include client names, addresses, birth dates, Social Security numbers, physician's names, national provider identifiers, tax identification numbers and procedure codes designed for billing purposes (see: Hackers Access Medicaid Records).