SALT LAKE CITY (Reuters) - A data security breach of Utah’s state health records was far larger than first reported, with hackers from Eastern Europe now believed to have gained access to private information of some 780,000 patients, state officials said on Monday.
The intrusion exposed the Social Security numbers of about 280,000 individuals to potential theft and compromised less sensitive personal information such as names, addresses and birth dates of an estimated 500,000 others, Utah Department of Health spokesman Tom Hudachko said.
“It’s certainly worrisome,” Hudachko said. “We’ve got a large amount of people out there whose information potentially is now in the hands of people who shouldn’t have it.” The bulk of the victims were recipients or potential recipients of Medicaid, a federal-state program that subsidizes healthcare for the needy, the aged and the disabled. But some records were from the state-administered Children’s Health Insurance Program, or CHIP, for children of low-income families. About 260,000 Utah residents are Medicaid clients, including some children, state Health Department spokeswoman Charla Haley said. The number of children enrolled in CHIP is 40,000, though some of them could be covered under Medicaid as well, she said.
It remained unclear whether the full extent of the data breach has been pinpointed or whether the scope of the damage could grow as investigators from Utah’s Department of Technology Services continue to examine the intrusion.
Further investigation may find instances in which a single patient accounted for multiple records that were hacked, so “there’s the potential that the numbers would shift down,” Hudachko said. The cyber raid was believed to have originated from hackers in Eastern Europe who circumvented security safeguards on March 30 in a breach that state officials initially thought had exposed 24,000 patient records.
The damage toll climbed to 780,000 after investigators found that the exposed data included an additional 605,000 records sent in recent months by healthcare providers to the state seeking to determine patients’ Medicaid eligibility, Haley said. Health officials have urged all Medicaid patients and providers to keep an eye on bank accounts and other personal records. Customers whose Social Security numbers are found to have been compromised will receive free credit-monitoring services, officials said.
Editing by Steve Gorman, Cynthia Johnston and Lisa Shumaker